align with ECS fieldnames

2026-01-29 03:13:30 +01:00 · 2026-01-05 14:48:10 -06:00
parent a53619f10f
commit f2b7ffe0eb
2 changed files with 95 additions and 14 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -115,16 +115,16 @@ soc:
      ':kratos:':
        - soc_timestamp
        - event.dataset
-        - http_request.headers.x-real-ip
+        - http.request.headers.x-real-ip
        - user.name
-        - http_request.headers.user-agent
+        - http.useragent
        - msg
      ':hydra:':
        - soc_timestamp
        - event.dataset
-        - http_request.headers.x-real-ip
+        - http.request.headers.x-real-ip
        - user.name
-        - http_request.headers.user-agent
+        - http.useragent
        - msg
      '::conn':
        - soc_timestamp
@@ -1747,7 +1747,7 @@ soc:
              showSubtitle: true
            - name: SOC - Auth
              description: Users authenticated to SOC grouped by IP address and identity
-              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name'
              showSubtitle: true
            - name: SOC - App
              description: Logs generated by the Security Onion Console (SOC) server and modules
@@ -2027,10 +2027,10 @@ soc:
              query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port'
            - name: SOC Logins
              description: SOC (Security Onion Console) logins
-              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip user.name | groupby user.name | groupby http.useragent'
            - name: SOC Login Failures
              description: SOC (Security Onion Console) login failures
-              query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent'
+              query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip http.useragent | groupby http.useragent'
            - name: Alerts
              description: Overview of all alerts
              query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination.as.organization.name'