From f44eee134a183aac60f15a15ee15ca202b097cc3 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 6 Dec 2022 16:52:20 +0000 Subject: [PATCH] Add default queries and ICS/SCADA queries --- salt/soc/defaults.yaml | 967 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 941 insertions(+), 26 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 0f41c32f2..cf7df887d 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1698,32 +1698,947 @@ soc: aggregationActionsEnabled: true eventFields: default: - - soc_timestamp - - rule.name - - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.gid - - rule.uuid - - rule.category - - rule.rev - ':ossec:': - - soc_timestamp - - rule.name - - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - - process.name + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ' :kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + ' ::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + ' ::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + ' ::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + ' ::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_request + - dnp3.fc_reply + - log.id.uid + ' ::dnp3_control': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.function_code + - dnp3.block_type + - log.id.uid + ' ::dnp3_objects': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.function_code + - dnp3.object_type + - log.id.uid + ' ::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + ' ::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + ' ::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + ' ::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + ' ::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + ' ::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + ' ::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + ' ::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + ' ::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + ' ::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + ' ::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + ' ::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + ' ::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + ' ::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + ' ::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + ' ::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + ' ::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + ' ::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + ' ::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + ' ::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + ' ::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + ' ::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + ' ::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + ' ::software': + - soc_timestamp + - source.ip + - software.name + - software.type + ' ::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + ' ::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ' :zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + ' ::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + ' ::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + ' ::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + ' ::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ' :osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ' :ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ' :strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ' :suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ' :sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ' :windows_eventlog:': + - soc_timestamp + - user.name + ' :elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ' :kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + ' ::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + ' ::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + ' ::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ' :syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ' :aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ' :squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + ' ::process_terminated': + - soc_timestamp + - process.executable + - process.pid + - winlog.computer_name + ' ::file_create': + - soc_timestamp + - file.target + - process.executable + - process.pid + - winlog.computer_name + ' ::registry_value_set': + - soc_timestamp + - winlog.event_data.TargetObject + - process.executable + - process.pid + - winlog.computer_name + ' ::process_creation': + - soc_timestamp + - process.command_line + - process.pid + - process.parent.executable + - process.working_directory + ' ::registry_create_delete': + - soc_timestamp + - winlog.event_data.TargetObject + - process.executable + - process.pid + - winlog.computer_name + ' ::dns_query': + - soc_timestamp + - dns.query.name + - dns.answers.name + - process.executable + - winlog.computer_name + ' ::file_create_stream_hash': + - soc_timestamp + - file.target + - hash.md5 + - hash.sha256 + - process.executable + - process.pid + - winlog.computer_name + ' ::bacnet': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.bclv.function + - bacnet.result.code + - log.id.uid + ' ::bacnet_discovery': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.vendor + - bacnet.pdu.service + - log.id.uid + ' ::bacnet_property': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.property + - bacnet.pdu.service + - log.id.uid + ' ::bsap_ip_header': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bsap.message.type + - bsap.number.messages + - log.id.uid + ' ::bsap_ip_rdb': + - soc_timestamp + - bsap.application.function + - bsap.application.sub.function + - bsap.vector.variables + - log.id.uid + ' ::bsap_serial_header': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bsap.source.function + - bsap.destination.function + - bsap.message.type + - log.id.uid + ' ::bsap_serial_rdb': + - soc_timestamp + - bsap.rdb.function + - bsap.vector.variables + - log.id.uid + ' ::cip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.service + - cip.status_code + - log.id.uid + - event.dataset + ' ::cip_identity': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.device.type.name + - cip.vendor.name + - log.id.uid + ' ::cip_io': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.connection.id + - cip.io.data + - log.id.uid + ' ::cotp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cotp.pdu.name + - log.id.uid + ' ::ecat_arp_info': + - soc_timestamp + - source.ip + - destination.ip + - source.mac + - destination.mac + - ecat.arp.type + ' ::ecat_aoe_info': + - soc_timestamp + - source.mac + - source.port + - destination.mac + - destination.port + - ecat.command + ' ::ecat_coe_info': + - soc_timestamp + - ecat.message.number + - ecat.message.type + - ecat.request.response.type + - ecat.index + - ecat.sub.index + ' ::ecat_dev_info': + - soc_timestamp + - ecat.device.type + - ecat.features + - ecat.ram.size + - ecat.revision + - ecat.slave.address + ' ::ecat_log_address': + - soc_timestamp + - source.mac + - destination.mac + - ecat.command + ' ::ecat_registers': + - soc_timestamp + - source.mac + - destination.mac + - ecat.command + - ecat.register.type + ' ::enip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - enip.command + - enip.status_code + - log.id.uid + - event.dataset + ' ::modbus_detailed': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + ' ::opcua_binary': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.identifier_string + - opcua.message_type + - log.id.uid + ' ::opcua_binary_activate_session': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.identifier_string + - opcua.user_name + - log.id.uid + ' ::opcua_binary_activate_session_diagnostic_info': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.activate_session_diag_info_link_id + - opcua.diag_info_link_id + - log.id.uid + ' ::opcua_binary_activate_session_locale_id': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.local_id + - opcua.locale_link_id + - log.id.uid + ' ::opcua_binary_browse': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.service_type + - log.id.uid + ' ::opcua_binary_browse_description': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + ' ::opcua_binary_browse_response_references': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.node_class + - opcua.display_name_text + - log.id.uid + ' ::opcua_binary_browse_result': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.response_link_id + - log.id.uid + ' ::opcua_binary_create_session': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - log.id.uid + ' ::opcua_binary_create_session_endpoints': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_link_id + - opcua.endpoint_url + - log.id.uid + ' ::opcua_binary_create_session_user_token': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.user_token_link_id + - log.id.uid + ' ::opcua_binary_create_subscription': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - log.id.uid + ' ::opcua_binary_get_endpoints': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_url + - opcua.link_id + - log.id.uid + ' ::opcua_binary_get_endpoints_description': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_description_link_id + - opcua.endpoint_uri + - log.id.uid + ' ::opcua_binary_get_endpoints_user_token': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.user_token_link_id + - opcua.user_token_type + - log.id.uid + ' ::opcua_binary_read': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.read_results_link_id + - log.id.uid + ' ::opcua_binary_status_code_detail': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.info_type_string + - opcua.source_string + - log.id.uid + ' ::profinet': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - profinet.index + - profinet.operation_type + - log.id.uid + ' ::profinet_dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - profinet.operation + - log.id.uid + ' ::s7comm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.ros.control.name + - s7.function.name + - log.id.uid + ' ::s7comm_plus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.opcode.name + - s7.version + - log.id.uid + ' ::s7comm_read_szl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.szl_id_name + - s7.return_code_name + - log.id.uid + ' ::s7comm_upload_download': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.ros.control.name + - s7.function_code + - log.id.uid + ' ::tds': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.command + - log.id.uid + - event.dataset + ' ::tds_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.procedure_name + - log.id.uid + - event.dataset + ' ::tds_sql_batch': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.header_type + - log.id.uid + - event.dataset queryBaseFilter: event.dataset:alert queryToggleFilters: - name: acknowledged