From 7f488422b0deea50ba37a953dd0781c1dc9c45ae Mon Sep 17 00:00:00 2001
From: DefensiveDepth <Josh@defensivedepth.com>
Date: Tue, 2 Apr 2024 09:13:27 -0400
Subject: [PATCH 1/5] Add default columns

---
 salt/soc/defaults.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 9ec22b180..8b6bceef0 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2033,6 +2033,7 @@ soc:
               - so_detection.severity
               - so_detection.language
               - so_detection.ruleset
+              - soc_timestamp
           queries:
             - name: "All Detections"
               query: "_id:*"
@@ -2050,6 +2051,8 @@ soc:
               query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
             - name: "Detection Type - Yara (Strelka)"
               query: "so_detection.language:yara"
+            - name: "Security Onion - Grid Detections"
+              query: "so_detection.ruleset:securityonion-resources"
         detection:
           presets:
             severity:

From 505eeea66a1c368e2d2f0b9f1b40dd63eadc1bad Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Tue, 2 Apr 2024 09:39:54 -0400
Subject: [PATCH 2/5] Update defaults.yaml

---
 salt/soc/defaults.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 8b6bceef0..2d5881ffa 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -561,7 +561,7 @@ soc:
         - process.executable
         - user.name
         - event.dataset
-      ':strelka:file':
+      ':strelka:':
         - soc_timestamp
         - file.name
         - file.size

From 6c2437f8ef2f9edadf2d2d774b7b8c717bc8b90e Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Tue, 2 Apr 2024 09:55:56 -0400
Subject: [PATCH 3/5] FEATURE: Add Events table columns for event.module
 playbook #12703

---
 salt/soc/defaults.yaml | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 2d5881ffa..a78ea88e1 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1200,6 +1200,17 @@ soc:
         -  soc_timestamp
         -  event.dataset
         -  message
+      ':playbook:':
+        - soc_timestamp
+        - rule.name
+        - event.severity_label
+        - event_data.event.dataset
+        - event_data.source.ip
+        - event_data.source.port
+        - event_data.destination.host
+        - event_data.destination.port
+        - event_data.process.executable
+        - event_data.process.pid
     server:
       bindAddress: 0.0.0.0:9822
       baseUrl: /
@@ -1876,11 +1887,13 @@ soc:
               - soc_timestamp
               - rule.name
               - event.severity_label
-              - event_data.event.module
-              - event_data.event.category
+              - event_data.event.dataset
+              - event_data.source.ip
+              - event_data.source.port
+              - event_data.destination.host
+              - event_data.destination.port
               - event_data.process.executable
               - event_data.process.pid
-              - event_data.winlog.computer_name
           queryBaseFilter: tags:alert
           queryToggleFilters:
             - name: acknowledged

From b2b54ccf60724a3ed9ac591c638dd7902fdb17f7 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Tue, 2 Apr 2024 10:11:16 -0400
Subject: [PATCH 4/5] FEATURE: Add Events table columns for event.module
 strelka #12716

---
 salt/soc/defaults.yaml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index a78ea88e1..db98b6b2f 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1893,7 +1893,16 @@ soc:
               - event_data.destination.host
               - event_data.destination.port
               - event_data.process.executable
-              - event_data.process.pid
+              - event_data.process.pid    
+            ':strelka:':
+              - soc_timestamp
+              - file.name
+              - file.size
+              - hash.md5
+              - file.source
+              - file.mime_type
+              - log.id.fuid
+              - event.dataset
           queryBaseFilter: tags:alert
           queryToggleFilters:
             - name: acknowledged

From 2f03cbf11535b8b33190da15b2695d724df75336 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Tue, 2 Apr 2024 10:42:20 -0400
Subject: [PATCH 5/5] FEATURE: Add Events table columns for event.module
 strelka #12716

---
 salt/soc/defaults.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index db98b6b2f..711bba8d6 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -570,6 +570,15 @@ soc:
         - file.mime_type
         - log.id.fuid
         - event.dataset
+      ':strelka:file':
+        - soc_timestamp
+        - file.name
+        - file.size
+        - hash.md5
+        - file.source
+        - file.mime_type
+        - log.id.fuid
+        - event.dataset  
       ':suricata:':
         - soc_timestamp
         - source.ip