From f559621f00cf5d4659a0ce38bfe58f86bbefd7c0 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@gmail.com>
Date: Mon, 1 Jun 2020 07:48:50 -0400
Subject: [PATCH] add x509 issuer and subject groupby queries

---
 salt/soc/files/soc/soc.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index b1fd85f75..b99082f34 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -140,6 +140,8 @@
           { "name": "Tunnels", "description": "Tunnels grouped by action", "query": "event.module:zeek AND event.dataset:tunnels | groupby event.action"},
           { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.module:zeek AND event.dataset:weird | groupby weird.name"},
           { "name": "x509", "description": "x.509 grouped by key length", "query": "event.module:zeek AND event.dataset:x509 | groupby x509.certificate.key.length"},
+          { "name": "x509", "description": "x.509 grouped by issuer", "query": "event.module:zeek AND event.dataset:x509 | groupby x509.certificate.issuer"},
+          { "name": "x509", "description": "x.509 grouped by subject", "query": "event.module:zeek AND event.dataset:x509 | groupby x509.certificate.subject"},
           { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"}
         ]
       }