CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-25 17:33:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

align with ECS fieldnames

Browse Source
This commit is contained in:
reyesj2
2026-01-05 14:48:10 -06:00
parent a53619f10f
commit f2b7ffe0eb
2 changed files with 95 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
salt/elasticsearch/files/ingest/kratos
View File

@@ -1,9 +1,90 @@
{ {
"description" : "kratos", "description": "kratos",
"processors" : [ "processors": [
{"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}}, {
{"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}}, "set": {
{"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }}, "field": "audience",
{ "pipeline": { "name": "common" } } "value": "access",
] "override": false,
"ignore_failure": true
}
},
{
"set": {
"field": "event.dataset",
"ignore_empty_value": true,
"ignore_failure": true,
"value": "kratos.{{{audience}}}",
"media_type": "text/plain"
}
},
{
"set": {
"field": "event.action",
"ignore_failure": true,
"copy_from": "msg"
}
},
{
"rename": {
"field": "http_request",
"target_field": "http.request",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"rename": {
"field": "http_response",
"target_field": "http.response",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"rename": {
"field": "http.request.path",
"target_field": "http.uri",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"rename": {
"field": "http.request.method",
"target_field": "http.method",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"rename": {
"field": "http.request.method",
"target_field": "http.method",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"rename": {
"field": "http.request.query",
"target_field": "http.query",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"rename": {
"field": "http.request.headers.user-agent",
"target_field": "http.useragent",
"ignore_failure": true,
"ignore_missing": true
}
},
{
"pipeline": {
"name": "common"
}
}
]
} }

14
salt/soc/defaults.yaml
View File

@@ -115,16 +115,16 @@ soc:
':kratos:': ':kratos:':
- soc_timestamp - soc_timestamp
- event.dataset - event.dataset
- http_request.headers.x-real-ip - http.request.headers.x-real-ip
- user.name - user.name
- http_request.headers.user-agent - http.useragent
- msg - msg
':hydra:': ':hydra:':
- soc_timestamp - soc_timestamp
- event.dataset - event.dataset
- http_request.headers.x-real-ip - http.request.headers.x-real-ip
- user.name - user.name
- http_request.headers.user-agent - http.useragent
- msg - msg
'::conn': '::conn':
- soc_timestamp - soc_timestamp
@@ -1747,7 +1747,7 @@ soc:
showSubtitle: true showSubtitle: true
- name: SOC - Auth - name: SOC - Auth
description: Users authenticated to SOC grouped by IP address and identity description: Users authenticated to SOC grouped by IP address and identity
query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name' query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name'
showSubtitle: true showSubtitle: true
- name: SOC - App - name: SOC - App
description: Logs generated by the Security Onion Console (SOC) server and modules description: Logs generated by the Security Onion Console (SOC) server and modules
@@ -2027,10 +2027,10 @@ soc:
query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port' query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SOC Logins - name: SOC Logins
description: SOC (Security Onion Console) logins description: SOC (Security Onion Console) logins
query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent' query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip user.name | groupby user.name | groupby http.useragent'
- name: SOC Login Failures - name: SOC Login Failures
description: SOC (Security Onion Console) login failures description: SOC (Security Onion Console) login failures
query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent' query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip http.useragent | groupby http.useragent'
- name: Alerts - name: Alerts
description: Overview of all alerts description: Overview of all alerts
query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination.as.organization.name' query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination.as.organization.name'