CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add default queries and ICS/SCADA queries

Browse Source
This commit is contained in:
Wes
2022-12-06 16:52:20 +00:00
parent c741fe6b4d
commit f44eee134a
1 changed files with 941 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

967
salt/soc/defaults.yaml
View File

@@ -1698,32 +1698,947 @@ soc:
aggregationActionsEnabled: true aggregationActionsEnabled: true
eventFields: eventFields:
default: default:
- soc_timestamp - soc_timestamp
- rule.name - source.ip
- event.severity_label - source.port
- source.ip - destination.ip
- source.port - destination.port
- destination.ip - log.id.uid
- destination.port - network.community_id
- rule.gid - event.dataset
- rule.uuid ' :kratos:audit':
- rule.category - soc_timestamp
- rule.rev - http_request.headers.x-real-ip
':ossec:': - identity_id
- soc_timestamp - http_request.headers.user-agent
- rule.name ' ::conn':
- event.severity_label - soc_timestamp
- source.ip - source.ip
- source.port - source.port
- destination.ip - destination.ip
- destination.port - destination.port
- rule.level - network.transport
- rule.category - network.protocol
- process.name - log.id.uid
- user.name - network.community_id
- user.escalated ' ::dce_rpc':
- location - soc_timestamp
- process.name - source.ip
- source.port
- destination.ip
- destination.port
- dce_rpc.endpoint
- dce_rpc.named_pipe
- dce_rpc.operation
- log.id.uid
' ::dhcp':
- soc_timestamp
- client.address
- server.address
- host.domain
- host.hostname
- dhcp.message_types
- log.id.uid
' ::dnp3':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.fc_request
- dnp3.fc_reply
- log.id.uid
' ::dnp3_control':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.function_code
- dnp3.block_type
- log.id.uid
' ::dnp3_objects':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.function_code
- dnp3.object_type
- log.id.uid
' ::dns':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- dns.query.name
- dns.query.type_name
- dns.response.code_name
- log.id.uid
- network.community_id
' ::dpd':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.protocol
- observer.analyser
- error.reason
- log.id.uid
' ::file':
- soc_timestamp
- source.ip
- destination.ip
- file.name
- file.mime_type
- file.source
- file.bytes.total
- log.id.fuid
- log.id.uid
' ::ftp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ftp.user
- ftp.command
- ftp.argument
- ftp.reply_code
- file.size
- log.id.uid
' ::http':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- http.method
- http.virtual_host
- http.status_code
- http.status_message
- http.request.body.length
- http.response.body.length
- log.id.uid
- network.community_id
' ::intel':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- intel.indicator
- intel.indicator_type
- intel.seen_where
- log.id.uid
' ::irc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- irc.username
- irc.nickname
- irc.command.type
- irc.command.value
- irc.command.info
- log.id.uid
' ::kerberos':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- kerberos.client
- kerberos.service
- kerberos.request_type
- log.id.uid
' ::modbus':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- modbus.function
- log.id.uid
' ::mysql':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- mysql.command
- mysql.argument
- mysql.success
- mysql.response
- log.id.uid
' ::notice':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- notice.note
- notice.message
- log.id.fuid
- log.id.uid
- network.community_id
' ::ntlm':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ntlm.name
- ntlm.success
- ntlm.server.dns.name
- ntlm.server.nb.name
- ntlm.server.tree.name
- log.id.uid
' ::pe':
- soc_timestamp
- file.is_64bit
- file.is_exe
- file.machine
- file.os
- file.subsystem
- log.id.fuid
' ::radius':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
- username
- radius.framed_address
- radius.reply_message
- radius.result
' ::rdp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rdp.client_build
- client_name
- rdp.cookie
- rdp.encryption_level
- rdp.encryption_method
- rdp.keyboard_layout
- rdp.result
- rdp.security_protocol
- log.id.uid
' ::rfb':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rfb.authentication.method
- rfb.authentication.success
- rfb.share_flag
- rfb.desktop.name
- log.id.uid
' ::signatures':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- note
- signature_id
- event_message
- sub_message
- signature_count
- host.count
- log.id.uid
' ::sip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- sip.method
- sip.uri
- sip.request.from
- sip.request.to
- sip.response.from
- sip.response.to
- sip.call_id
- sip.subject
- sip.user_agent
- sip.status_code
- log.id.uid
' ::smb_files':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.fuid
- file.action
- file.path
- file.name
- file.size
- file.prev_name
- log.id.uid
' ::smb_mapping':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- smb.path
- smb.service
- smb.share_type
- log.id.uid
' ::smtp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- smtp.from
- smtp.recipient_to
- smtp.subject
- smtp.useragent
- log.id.uid
- network.community_id
' ::snmp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- snmp.community
- snmp.version
- log.id.uid
' ::socks':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- socks.name
- socks.request.host
- socks.request.port
- socks.status
- log.id.uid
' ::software':
- soc_timestamp
- source.ip
- software.name
- software.type
' ::ssh':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ssh.version
- ssh.hassh_version
- ssh.direction
- ssh.client
- ssh.server
- log.id.uid
' ::ssl':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ssl.server_name
- ssl.certificate.subject
- ssl.validation_status
- ssl.version
- log.id.uid
' :zeek:syslog':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- syslog.facility
- network.protocol
- syslog.severity
- log.id.uid
' ::tunnels':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tunnel_type
- action
- log.id.uid
' ::weird':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- weird.name
- log.id.uid
' ::x509':
- soc_timestamp
- x509.certificate.subject
- x509.certificate.key.type
- x509.certificate.key.length
- x509.certificate.issuer
- log.id.fuid
' ::firewall':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- network.direction
- interface.name
- rule.action
- rule.reason
- network.community_id
' :osquery:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- event.dataset
- process.executable
- user.name
' :ossec:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rule.name
- rule.level
- rule.category
- process.name
- user.name
- user.escalated
- location
' :strelka:file':
- soc_timestamp
- file.name
- file.size
- hash.md5
- file.source
- file.mime_type
- log.id.fuid
' :suricata:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rule.name
- rule.category
- event.severity_label
- log.id.uid
- network.community_id
' :sysmon:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- event.dataset
- process.executable
- user.name
' :windows_eventlog:':
- soc_timestamp
- user.name
' :elasticsearch:':
- soc_timestamp
- agent.name
- message
- log.level
- metadata.version
- metadata.pipeline
- event.dataset
' :kibana:':
- soc_timestamp
- host.name
- message
- kibana.log.meta.req.headers.x-real-ip
- event.dataset
' ::rootcheck':
- soc_timestamp
- host.name
- metadata.ip_address
- log.full
- event.dataset
- event.module
' ::ossec':
- soc_timestamp
- host.name
- metadata.ip_address
- log.full
- event.dataset
- event.module
' ::syscollector':
- soc_timestamp
- host.name
- metadata.ip_address
- wazuh.data.type
- log.full
- event.dataset
- event.module
' :syslog:syslog':
- soc_timestamp
- host.name
- metadata.ip_address
- real_message
- syslog.priority
- syslog.application
' :aws:':
- soc_timestamp
- aws.cloudtrail.event_category
- aws.cloudtrail.event_type
- event.provider
- event.action
- event.outcome
- cloud.region
- user.name
- source.ip
- source.geo.region_iso_code
' :squid:':
- soc_timestamp
- url.original
- destination.ip
- destination.geo.country_iso_code
- user.name
- source.ip
' ::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
' ::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
' ::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
' ::process_creation':
- soc_timestamp
- process.command_line
- process.pid
- process.parent.executable
- process.working_directory
' ::registry_create_delete':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
' ::dns_query':
- soc_timestamp
- dns.query.name
- dns.answers.name
- process.executable
- winlog.computer_name
' ::file_create_stream_hash':
- soc_timestamp
- file.target
- hash.md5
- hash.sha256
- process.executable
- process.pid
- winlog.computer_name
' ::bacnet':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.bclv.function
- bacnet.result.code
- log.id.uid
' ::bacnet_discovery':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.vendor
- bacnet.pdu.service
- log.id.uid
' ::bacnet_property':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.property
- bacnet.pdu.service
- log.id.uid
' ::bsap_ip_header':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bsap.message.type
- bsap.number.messages
- log.id.uid
' ::bsap_ip_rdb':
- soc_timestamp
- bsap.application.function
- bsap.application.sub.function
- bsap.vector.variables
- log.id.uid
' ::bsap_serial_header':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bsap.source.function
- bsap.destination.function
- bsap.message.type
- log.id.uid
' ::bsap_serial_rdb':
- soc_timestamp
- bsap.rdb.function
- bsap.vector.variables
- log.id.uid
' ::cip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.service
- cip.status_code
- log.id.uid
- event.dataset
' ::cip_identity':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.device.type.name
- cip.vendor.name
- log.id.uid
' ::cip_io':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.connection.id
- cip.io.data
- log.id.uid
' ::cotp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cotp.pdu.name
- log.id.uid
' ::ecat_arp_info':
- soc_timestamp
- source.ip
- destination.ip
- source.mac
- destination.mac
- ecat.arp.type
' ::ecat_aoe_info':
- soc_timestamp
- source.mac
- source.port
- destination.mac
- destination.port
- ecat.command
' ::ecat_coe_info':
- soc_timestamp
- ecat.message.number
- ecat.message.type
- ecat.request.response.type
- ecat.index
- ecat.sub.index
' ::ecat_dev_info':
- soc_timestamp
- ecat.device.type
- ecat.features
- ecat.ram.size
- ecat.revision
- ecat.slave.address
' ::ecat_log_address':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
' ::ecat_registers':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
- ecat.register.type
' ::enip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- enip.command
- enip.status_code
- log.id.uid
- event.dataset
' ::modbus_detailed':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- modbus.function
- log.id.uid
' ::opcua_binary':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.identifier_string
- opcua.message_type
- log.id.uid
' ::opcua_binary_activate_session':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.identifier_string
- opcua.user_name
- log.id.uid
' ::opcua_binary_activate_session_diagnostic_info':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.activate_session_diag_info_link_id
- opcua.diag_info_link_id
- log.id.uid
' ::opcua_binary_activate_session_locale_id':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.local_id
- opcua.locale_link_id
- log.id.uid
' ::opcua_binary_browse':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.service_type
- log.id.uid
' ::opcua_binary_browse_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
' ::opcua_binary_browse_response_references':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.node_class
- opcua.display_name_text
- log.id.uid
' ::opcua_binary_browse_result':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.response_link_id
- log.id.uid
' ::opcua_binary_create_session':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- log.id.uid
' ::opcua_binary_create_session_endpoints':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_link_id
- opcua.endpoint_url
- log.id.uid
' ::opcua_binary_create_session_user_token':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.user_token_link_id
- log.id.uid
' ::opcua_binary_create_subscription':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- log.id.uid
' ::opcua_binary_get_endpoints':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_url
- opcua.link_id
- log.id.uid
' ::opcua_binary_get_endpoints_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_description_link_id
- opcua.endpoint_uri
- log.id.uid
' ::opcua_binary_get_endpoints_user_token':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.user_token_link_id
- opcua.user_token_type
- log.id.uid
' ::opcua_binary_read':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.read_results_link_id
- log.id.uid
' ::opcua_binary_status_code_detail':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.info_type_string
- opcua.source_string
- log.id.uid
' ::profinet':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- profinet.index
- profinet.operation_type
- log.id.uid
' ::profinet_dce_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- profinet.operation
- log.id.uid
' ::s7comm':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.ros.control.name
- s7.function.name
- log.id.uid
' ::s7comm_plus':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.opcode.name
- s7.version
- log.id.uid
' ::s7comm_read_szl':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.szl_id_name
- s7.return_code_name
- log.id.uid
' ::s7comm_upload_download':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.ros.control.name
- s7.function_code
- log.id.uid
' ::tds':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.command
- log.id.uid
- event.dataset
' ::tds_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.procedure_name
- log.id.uid
- event.dataset
' ::tds_sql_batch':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.header_type
- log.id.uid
- event.dataset
queryBaseFilter: event.dataset:alert queryBaseFilter: event.dataset:alert
queryToggleFilters: queryToggleFilters:
- name: acknowledged - name: acknowledged