From f84ceca03e61b66767c3519370bc32fb420589e9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 15 Dec 2022 14:22:23 -0500 Subject: [PATCH] consolidate eventFields from hunt and dashbaords into a single setting --- salt/soc/defaults.yaml | 2826 +++++++++++++------------------------ salt/soc/merged.map.jinja | 4 + salt/soc/soc_soc.yaml | 3 + 3 files changed, 949 insertions(+), 1884 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 298795039..ec78bff8b 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -49,6 +49,948 @@ soc: target: _blank links: - 'https://www.virustotal.com/gui/search/{value}' + eventFields: + default: + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ':kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + '::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + '::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + '::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + '::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_reply + - log.id.uid + '::dnp3_control': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.function_code + - dnp3.block_type + - log.id.uid + '::dnp3_objects': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.function_code + - dnp3.object_type + - log.id.uid + '::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + '::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + '::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + '::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + '::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + '::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + '::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + '::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + '::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + '::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + '::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + '::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + '::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + '::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + '::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + '::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + '::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + '::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + '::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + '::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + '::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + '::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + '::software': + - soc_timestamp + - source.ip + - software.name + - software.type + '::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + '::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ':zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + '::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + '::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + '::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + '::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ':osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ':strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ':suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ':sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':windows_eventlog:': + - soc_timestamp + - user.name + ':elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ':kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + '::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ':syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ':aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ':squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + '::process_terminated': + - soc_timestamp + - process.executable + - process.pid + - winlog.computer_name + '::file_create': + - soc_timestamp + - file.target + - process.executable + - process.pid + - winlog.computer_name + '::registry_value_set': + - soc_timestamp + - winlog.event_data.TargetObject + - process.executable + - process.pid + - winlog.computer_name + '::process_creation': + - soc_timestamp + - process.command_line + - process.pid + - process.parent.executable + - process.working_directory + '::registry_create_delete': + - soc_timestamp + - winlog.event_data.TargetObject + - process.executable + - process.pid + - winlog.computer_name + '::dns_query': + - soc_timestamp + - dns.query.name + - dns.answers.name + - process.executable + - winlog.computer_name + '::file_create_stream_hash': + - soc_timestamp + - file.target + - hash.md5 + - hash.sha256 + - process.executable + - process.pid + - winlog.computer_name + '::bacnet': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.bclv.function + - bacnet.result.code + - log.id.uid + '::bacnet_discovery': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.vendor + - bacnet.pdu.service + - log.id.uid + '::bacnet_property': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.property + - bacnet.pdu.service + - log.id.uid + '::bsap_ip_header': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bsap.message.type + - bsap.number.messages + - log.id.uid + '::bsap_ip_rdb': + - soc_timestamp + - bsap.application.function + - bsap.application.sub.function + - bsap.vector.variables + - log.id.uid + '::bsap_serial_header': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bsap.source.function + - bsap.destination.function + - bsap.message.type + - log.id.uid + '::bsap_serial_rdb': + - soc_timestamp + - bsap.rdb.function + - bsap.vector.variables + - log.id.uid + '::cip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.service + - cip.status_code + - log.id.uid + - event.dataset + '::cip_identity': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.device.type.name + - cip.vendor.name + - log.id.uid + '::cip_io': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.connection.id + - cip.io.data + - log.id.uid + '::cotp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cotp.pdu.name + - log.id.uid + '::ecat_arp_info': + - soc_timestamp + - source.ip + - destination.ip + - source.mac + - destination.mac + - ecat.arp.type + '::ecat_aoe_info': + - soc_timestamp + - source.mac + - source.port + - destination.mac + - destination.port + - ecat.command + '::ecat_coe_info': + - soc_timestamp + - ecat.message.number + - ecat.message.type + - ecat.request.response.type + - ecat.index + - ecat.sub.index + '::ecat_dev_info': + - soc_timestamp + - ecat.device.type + - ecat.features + - ecat.ram.size + - ecat.revision + - ecat.slave.address + '::ecat_log_address': + - soc_timestamp + - source.mac + - destination.mac + - ecat.command + '::ecat_registers': + - soc_timestamp + - source.mac + - destination.mac + - ecat.command + - ecat.register.type + '::enip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - enip.command + - enip.status_code + - log.id.uid + - event.dataset + '::modbus_detailed': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::opcua_binary': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.identifier_string + - opcua.message_type + - log.id.uid + '::opcua_binary_activate_session': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.identifier_string + - opcua.user_name + - log.id.uid + '::opcua_binary_activate_session_diagnostic_info': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.activate_session_diag_info_link_id + - opcua.diag_info_link_id + - log.id.uid + '::opcua_binary_activate_session_locale_id': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.local_id + - opcua.locale_link_id + - log.id.uid + '::opcua_binary_browse': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.service_type + - log.id.uid + '::opcua_binary_browse_description': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + '::opcua_binary_browse_response_references': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.node_class + - opcua.display_name_text + - log.id.uid + '::opcua_binary_browse_result': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.response_link_id + - log.id.uid + '::opcua_binary_create_session': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - log.id.uid + '::opcua_binary_create_session_endpoints': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_link_id + - opcua.endpoint_url + - log.id.uid + '::opcua_binary_create_session_user_token': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.user_token_link_id + - log.id.uid + '::opcua_binary_create_subscription': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - log.id.uid + '::opcua_binary_get_endpoints': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_url + - opcua.link_id + - log.id.uid + '::opcua_binary_get_endpoints_description': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_description_link_id + - opcua.endpoint_uri + - log.id.uid + '::opcua_binary_get_endpoints_user_token': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.user_token_link_id + - opcua.user_token_type + - log.id.uid + '::opcua_binary_read': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.read_results_link_id + - log.id.uid + '::opcua_binary_status_code_detail': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.info_type_string + - opcua.source_string + - log.id.uid + '::profinet': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - profinet.index + - profinet.operation_type + - log.id.uid + '::profinet_dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - profinet.operation + - log.id.uid + '::s7comm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.ros.control.name + - s7.function.name + - log.id.uid + '::s7comm_plus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.opcode.name + - s7.version + - log.id.uid + '::s7comm_read_szl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.szl_id_name + - s7.return_code_name + - log.id.uid + '::s7comm_upload_download': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.ros.control.name + - s7.function_code + - log.id.uid + '::tds': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.command + - log.id.uid + - event.dataset + '::tds_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.procedure_name + - log.id.uid + - event.dataset + '::tds_sql_batch': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.header_type + - log.id.uid + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: / @@ -161,948 +1103,6 @@ soc: ackEnabled: false escalateEnabled: true escalateRelatedEventsEnabled: true - eventFields: - default: - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - network.community_id - - event.dataset - ':kratos:audit': - - soc_timestamp - - http_request.headers.x-real-ip - - identity_id - - http_request.headers.user-agent - '::conn': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.protocol - - log.id.uid - - network.community_id - '::dce_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dce_rpc.endpoint - - dce_rpc.named_pipe - - dce_rpc.operation - - log.id.uid - '::dhcp': - - soc_timestamp - - client.address - - server.address - - host.domain - - host.hostname - - dhcp.message_types - - log.id.uid - '::dnp3': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.fc_reply - - log.id.uid - '::dnp3_control': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.function_code - - dnp3.block_type - - log.id.uid - '::dnp3_objects': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.function_code - - dnp3.object_type - - log.id.uid - '::dns': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - dns.query.name - - dns.query.type_name - - dns.response.code_name - - log.id.uid - - network.community_id - '::dpd': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.protocol - - observer.analyser - - error.reason - - log.id.uid - '::file': - - soc_timestamp - - source.ip - - destination.ip - - file.name - - file.mime_type - - file.source - - file.bytes.total - - log.id.fuid - - log.id.uid - '::ftp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ftp.user - - ftp.command - - ftp.argument - - ftp.reply_code - - file.size - - log.id.uid - '::http': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - http.method - - http.virtual_host - - http.status_code - - http.status_message - - http.request.body.length - - http.response.body.length - - log.id.uid - - network.community_id - '::intel': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - intel.indicator - - intel.indicator_type - - intel.seen_where - - log.id.uid - '::irc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - irc.username - - irc.nickname - - irc.command.type - - irc.command.value - - irc.command.info - - log.id.uid - '::kerberos': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - kerberos.client - - kerberos.service - - kerberos.request_type - - log.id.uid - '::modbus': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - modbus.function - - log.id.uid - '::mysql': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - mysql.command - - mysql.argument - - mysql.success - - mysql.response - - log.id.uid - '::notice': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - notice.note - - notice.message - - log.id.fuid - - log.id.uid - - network.community_id - '::ntlm': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ntlm.name - - ntlm.success - - ntlm.server.dns.name - - ntlm.server.nb.name - - ntlm.server.tree.name - - log.id.uid - '::pe': - - soc_timestamp - - file.is_64bit - - file.is_exe - - file.machine - - file.os - - file.subsystem - - log.id.fuid - '::radius': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - username - - radius.framed_address - - radius.reply_message - - radius.result - '::rdp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rdp.client_build - - client_name - - rdp.cookie - - rdp.encryption_level - - rdp.encryption_method - - rdp.keyboard_layout - - rdp.result - - rdp.security_protocol - - log.id.uid - '::rfb': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rfb.authentication.method - - rfb.authentication.success - - rfb.share_flag - - rfb.desktop.name - - log.id.uid - '::signatures': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - note - - signature_id - - event_message - - sub_message - - signature_count - - host.count - - log.id.uid - '::sip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - sip.method - - sip.uri - - sip.request.from - - sip.request.to - - sip.response.from - - sip.response.to - - sip.call_id - - sip.subject - - sip.user_agent - - sip.status_code - - log.id.uid - '::smb_files': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.fuid - - file.action - - file.path - - file.name - - file.size - - file.prev_name - - log.id.uid - '::smb_mapping': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smb.path - - smb.service - - smb.share_type - - log.id.uid - '::smtp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smtp.from - - smtp.recipient_to - - smtp.subject - - smtp.useragent - - log.id.uid - - network.community_id - '::snmp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - snmp.community - - snmp.version - - log.id.uid - '::socks': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - socks.name - - socks.request.host - - socks.request.port - - socks.status - - log.id.uid - '::software': - - soc_timestamp - - source.ip - - software.name - - software.type - '::ssh': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssh.version - - ssh.hassh_version - - ssh.direction - - ssh.client - - ssh.server - - log.id.uid - '::ssl': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssl.server_name - - ssl.certificate.subject - - ssl.validation_status - - ssl.version - - log.id.uid - ':zeek:syslog': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - syslog.facility - - network.protocol - - syslog.severity - - log.id.uid - '::tunnels': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tunnel_type - - action - - log.id.uid - '::weird': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - weird.name - - log.id.uid - '::x509': - - soc_timestamp - - x509.certificate.subject - - x509.certificate.key.type - - x509.certificate.key.length - - x509.certificate.issuer - - log.id.fuid - '::firewall': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.direction - - interface.name - - rule.action - - rule.reason - - network.community_id - ':osquery:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ':ossec:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - ':strelka:file': - - soc_timestamp - - file.name - - file.size - - hash.md5 - - file.source - - file.mime_type - - log.id.fuid - ':suricata:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.category - - event.severity_label - - log.id.uid - - network.community_id - ':sysmon:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ':windows_eventlog:': - - soc_timestamp - - user.name - ':elasticsearch:': - - soc_timestamp - - agent.name - - message - - log.level - - metadata.version - - metadata.pipeline - - event.dataset - ':kibana:': - - soc_timestamp - - host.name - - message - - kibana.log.meta.req.headers.x-real-ip - - event.dataset - '::rootcheck': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::ossec': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::syscollector': - - soc_timestamp - - host.name - - metadata.ip_address - - wazuh.data.type - - log.full - - event.dataset - - event.module - ':syslog:syslog': - - soc_timestamp - - host.name - - metadata.ip_address - - real_message - - syslog.priority - - syslog.application - ':aws:': - - soc_timestamp - - aws.cloudtrail.event_category - - aws.cloudtrail.event_type - - event.provider - - event.action - - event.outcome - - cloud.region - - user.name - - source.ip - - source.geo.region_iso_code - ':squid:': - - soc_timestamp - - url.original - - destination.ip - - destination.geo.country_iso_code - - user.name - - source.ip - '::process_terminated': - - soc_timestamp - - process.executable - - process.pid - - winlog.computer_name - '::file_create': - - soc_timestamp - - file.target - - process.executable - - process.pid - - winlog.computer_name - '::registry_value_set': - - soc_timestamp - - winlog.event_data.TargetObject - - process.executable - - process.pid - - winlog.computer_name - '::process_creation': - - soc_timestamp - - process.command_line - - process.pid - - process.parent.executable - - process.working_directory - '::registry_create_delete': - - soc_timestamp - - winlog.event_data.TargetObject - - process.executable - - process.pid - - winlog.computer_name - '::dns_query': - - soc_timestamp - - dns.query.name - - dns.answers.name - - process.executable - - winlog.computer_name - '::file_create_stream_hash': - - soc_timestamp - - file.target - - hash.md5 - - hash.sha256 - - process.executable - - process.pid - - winlog.computer_name - '::bacnet': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.bclv.function - - bacnet.result.code - - log.id.uid - '::bacnet_discovery': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.vendor - - bacnet.pdu.service - - log.id.uid - '::bacnet_property': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.property - - bacnet.pdu.service - - log.id.uid - '::bsap_ip_header': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bsap.message.type - - bsap.number.messages - - log.id.uid - '::bsap_ip_rdb': - - soc_timestamp - - bsap.application.function - - bsap.application.sub.function - - bsap.vector.variables - - log.id.uid - '::bsap_serial_header': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bsap.source.function - - bsap.destination.function - - bsap.message.type - - log.id.uid - '::bsap_serial_rdb': - - soc_timestamp - - bsap.rdb.function - - bsap.vector.variables - - log.id.uid - '::cip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.service - - cip.status_code - - log.id.uid - - event.dataset - '::cip_identity': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.device.type.name - - cip.vendor.name - - log.id.uid - '::cip_io': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.connection.id - - cip.io.data - - log.id.uid - '::cotp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cotp.pdu.name - - log.id.uid - '::ecat_arp_info': - - soc_timestamp - - source.ip - - destination.ip - - source.mac - - destination.mac - - ecat.arp.type - '::ecat_aoe_info': - - soc_timestamp - - source.mac - - source.port - - destination.mac - - destination.port - - ecat.command - '::ecat_coe_info': - - soc_timestamp - - ecat.message.number - - ecat.message.type - - ecat.request.response.type - - ecat.index - - ecat.sub.index - '::ecat_dev_info': - - soc_timestamp - - ecat.device.type - - ecat.features - - ecat.ram.size - - ecat.revision - - ecat.slave.address - '::ecat_log_address': - - soc_timestamp - - source.mac - - destination.mac - - ecat.command - '::ecat_registers': - - soc_timestamp - - source.mac - - destination.mac - - ecat.command - - ecat.register.type - '::enip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - enip.command - - enip.status_code - - log.id.uid - - event.dataset - '::modbus_detailed': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - modbus.function - - log.id.uid - '::opcua_binary': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.identifier_string - - opcua.message_type - - log.id.uid - '::opcua_binary_activate_session': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.identifier_string - - opcua.user_name - - log.id.uid - '::opcua_binary_activate_session_diagnostic_info': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.activate_session_diag_info_link_id - - opcua.diag_info_link_id - - log.id.uid - '::opcua_binary_activate_session_locale_id': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.local_id - - opcua.locale_link_id - - log.id.uid - '::opcua_binary_browse': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.service_type - - log.id.uid - '::opcua_binary_browse_description': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - '::opcua_binary_browse_response_references': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.node_class - - opcua.display_name_text - - log.id.uid - '::opcua_binary_browse_result': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.response_link_id - - log.id.uid - '::opcua_binary_create_session': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - log.id.uid - '::opcua_binary_create_session_endpoints': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_link_id - - opcua.endpoint_url - - log.id.uid - '::opcua_binary_create_session_user_token': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.user_token_link_id - - log.id.uid - '::opcua_binary_create_subscription': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - log.id.uid - '::opcua_binary_get_endpoints': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_url - - opcua.link_id - - log.id.uid - '::opcua_binary_get_endpoints_description': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_description_link_id - - opcua.endpoint_uri - - log.id.uid - '::opcua_binary_get_endpoints_user_token': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.user_token_link_id - - opcua.user_token_type - - log.id.uid - '::opcua_binary_read': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.read_results_link_id - - log.id.uid - '::opcua_binary_status_code_detail': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.info_type_string - - opcua.source_string - - log.id.uid - '::profinet': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - profinet.index - - profinet.operation_type - - log.id.uid - '::profinet_dce_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - profinet.operation - - log.id.uid - '::s7comm': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.ros.control.name - - s7.function.name - - log.id.uid - '::s7comm_plus': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.opcode.name - - s7.version - - log.id.uid - '::s7comm_read_szl': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.szl_id_name - - s7.return_code_name - - log.id.uid - '::s7comm_upload_download': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.ros.control.name - - s7.function_code - - log.id.uid - '::tds': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.command - - log.id.uid - - event.dataset - '::tds_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.procedure_name - - log.id.uid - - event.dataset - '::tds_sql_batch': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.header_type - - log.id.uid - - event.dataset queryBaseFilter: '' queryToggleFilters: - name: caseExcludeToggle @@ -1366,948 +1366,6 @@ soc: escalateEnabled: true escalateRelatedEventsEnabled: true aggregationActionsEnabled: false - eventFields: - default: - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - network.community_id - - event.dataset - ':kratos:audit': - - soc_timestamp - - http_request.headers.x-real-ip - - identity_id - - http_request.headers.user-agent - '::conn': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.protocol - - log.id.uid - - network.community_id - '::dce_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dce_rpc.endpoint - - dce_rpc.named_pipe - - dce_rpc.operation - - log.id.uid - '::dhcp': - - soc_timestamp - - client.address - - server.address - - host.domain - - host.hostname - - dhcp.message_types - - log.id.uid - '::dnp3': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.fc_reply - - log.id.uid - '::dnp3_control': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.function_code - - dnp3.block_type - - log.id.uid - '::dnp3_objects': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.function_code - - dnp3.object_type - - log.id.uid - '::dns': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - dns.query.name - - dns.query.type_name - - dns.response.code_name - - log.id.uid - - network.community_id - '::dpd': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.protocol - - observer.analyser - - error.reason - - log.id.uid - '::file': - - soc_timestamp - - source.ip - - destination.ip - - file.name - - file.mime_type - - file.source - - file.bytes.total - - log.id.fuid - - log.id.uid - '::ftp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ftp.user - - ftp.command - - ftp.argument - - ftp.reply_code - - file.size - - log.id.uid - '::http': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - http.method - - http.virtual_host - - http.status_code - - http.status_message - - http.request.body.length - - http.response.body.length - - log.id.uid - - network.community_id - '::intel': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - intel.indicator - - intel.indicator_type - - intel.seen_where - - log.id.uid - '::irc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - irc.username - - irc.nickname - - irc.command.type - - irc.command.value - - irc.command.info - - log.id.uid - '::kerberos': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - kerberos.client - - kerberos.service - - kerberos.request_type - - log.id.uid - '::modbus': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - modbus.function - - log.id.uid - '::mysql': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - mysql.command - - mysql.argument - - mysql.success - - mysql.response - - log.id.uid - '::notice': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - notice.note - - notice.message - - log.id.fuid - - log.id.uid - - network.community_id - '::ntlm': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ntlm.name - - ntlm.success - - ntlm.server.dns.name - - ntlm.server.nb.name - - ntlm.server.tree.name - - log.id.uid - '::pe': - - soc_timestamp - - file.is_64bit - - file.is_exe - - file.machine - - file.os - - file.subsystem - - log.id.fuid - '::radius': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - username - - radius.framed_address - - radius.reply_message - - radius.result - '::rdp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rdp.client_build - - client_name - - rdp.cookie - - rdp.encryption_level - - rdp.encryption_method - - rdp.keyboard_layout - - rdp.result - - rdp.security_protocol - - log.id.uid - '::rfb': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rfb.authentication.method - - rfb.authentication.success - - rfb.share_flag - - rfb.desktop.name - - log.id.uid - '::signatures': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - note - - signature_id - - event_message - - sub_message - - signature_count - - host.count - - log.id.uid - '::sip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - sip.method - - sip.uri - - sip.request.from - - sip.request.to - - sip.response.from - - sip.response.to - - sip.call_id - - sip.subject - - sip.user_agent - - sip.status_code - - log.id.uid - '::smb_files': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.fuid - - file.action - - file.path - - file.name - - file.size - - file.prev_name - - log.id.uid - '::smb_mapping': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smb.path - - smb.service - - smb.share_type - - log.id.uid - '::smtp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smtp.from - - smtp.recipient_to - - smtp.subject - - smtp.useragent - - log.id.uid - - network.community_id - '::snmp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - snmp.community - - snmp.version - - log.id.uid - '::socks': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - socks.name - - socks.request.host - - socks.request.port - - socks.status - - log.id.uid - '::software': - - soc_timestamp - - source.ip - - software.name - - software.type - '::ssh': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssh.version - - ssh.hassh_version - - ssh.direction - - ssh.client - - ssh.server - - log.id.uid - '::ssl': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssl.server_name - - ssl.certificate.subject - - ssl.validation_status - - ssl.version - - log.id.uid - ':zeek:syslog': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - syslog.facility - - network.protocol - - syslog.severity - - log.id.uid - '::tunnels': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tunnel_type - - action - - log.id.uid - '::weird': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - weird.name - - log.id.uid - '::x509': - - soc_timestamp - - x509.certificate.subject - - x509.certificate.key.type - - x509.certificate.key.length - - x509.certificate.issuer - - log.id.fuid - '::firewall': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.direction - - interface.name - - rule.action - - rule.reason - - network.community_id - ':osquery:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ':ossec:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - ':strelka:file': - - soc_timestamp - - file.name - - file.size - - hash.md5 - - file.source - - file.mime_type - - log.id.fuid - ':suricata:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.category - - event.severity_label - - log.id.uid - - network.community_id - ':sysmon:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ':windows_eventlog:': - - soc_timestamp - - user.name - ':elasticsearch:': - - soc_timestamp - - agent.name - - message - - log.level - - metadata.version - - metadata.pipeline - - event.dataset - ':kibana:': - - soc_timestamp - - host.name - - message - - kibana.log.meta.req.headers.x-real-ip - - event.dataset - '::rootcheck': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::ossec': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::syscollector': - - soc_timestamp - - host.name - - metadata.ip_address - - wazuh.data.type - - log.full - - event.dataset - - event.module - ':syslog:syslog': - - soc_timestamp - - host.name - - metadata.ip_address - - real_message - - syslog.priority - - syslog.application - ':aws:': - - soc_timestamp - - aws.cloudtrail.event_category - - aws.cloudtrail.event_type - - event.provider - - event.action - - event.outcome - - cloud.region - - user.name - - source.ip - - source.geo.region_iso_code - ':squid:': - - soc_timestamp - - url.original - - destination.ip - - destination.geo.country_iso_code - - user.name - - source.ip - '::process_terminated': - - soc_timestamp - - process.executable - - process.pid - - winlog.computer_name - '::file_create': - - soc_timestamp - - file.target - - process.executable - - process.pid - - winlog.computer_name - '::registry_value_set': - - soc_timestamp - - winlog.event_data.TargetObject - - process.executable - - process.pid - - winlog.computer_name - '::process_creation': - - soc_timestamp - - process.command_line - - process.pid - - process.parent.executable - - process.working_directory - '::registry_create_delete': - - soc_timestamp - - winlog.event_data.TargetObject - - process.executable - - process.pid - - winlog.computer_name - '::dns_query': - - soc_timestamp - - dns.query.name - - dns.answers.name - - process.executable - - winlog.computer_name - '::file_create_stream_hash': - - soc_timestamp - - file.target - - hash.md5 - - hash.sha256 - - process.executable - - process.pid - - winlog.computer_name - '::bacnet': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.bclv.function - - bacnet.result.code - - log.id.uid - '::bacnet_discovery': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.vendor - - bacnet.pdu.service - - log.id.uid - '::bacnet_property': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.property - - bacnet.pdu.service - - log.id.uid - '::bsap_ip_header': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bsap.message.type - - bsap.number.messages - - log.id.uid - '::bsap_ip_rdb': - - soc_timestamp - - bsap.application.function - - bsap.application.sub.function - - bsap.vector.variables - - log.id.uid - '::bsap_serial_header': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bsap.source.function - - bsap.destination.function - - bsap.message.type - - log.id.uid - '::bsap_serial_rdb': - - soc_timestamp - - bsap.rdb.function - - bsap.vector.variables - - log.id.uid - '::cip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.service - - cip.status_code - - log.id.uid - - event.dataset - '::cip_identity': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.device.type.name - - cip.vendor.name - - log.id.uid - '::cip_io': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.connection.id - - cip.io.data - - log.id.uid - '::cotp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cotp.pdu.name - - log.id.uid - '::ecat_arp_info': - - soc_timestamp - - source.ip - - destination.ip - - source.mac - - destination.mac - - ecat.arp.type - '::ecat_aoe_info': - - soc_timestamp - - source.mac - - source.port - - destination.mac - - destination.port - - ecat.command - '::ecat_coe_info': - - soc_timestamp - - ecat.message.number - - ecat.message.type - - ecat.request.response.type - - ecat.index - - ecat.sub.index - '::ecat_dev_info': - - soc_timestamp - - ecat.device.type - - ecat.features - - ecat.ram.size - - ecat.revision - - ecat.slave.address - '::ecat_log_address': - - soc_timestamp - - source.mac - - destination.mac - - ecat.command - '::ecat_registers': - - soc_timestamp - - source.mac - - destination.mac - - ecat.command - - ecat.register.type - '::enip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - enip.command - - enip.status_code - - log.id.uid - - event.dataset - '::modbus_detailed': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - modbus.function - - log.id.uid - '::opcua_binary': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.identifier_string - - opcua.message_type - - log.id.uid - '::opcua_binary_activate_session': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.identifier_string - - opcua.user_name - - log.id.uid - '::opcua_binary_activate_session_diagnostic_info': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.activate_session_diag_info_link_id - - opcua.diag_info_link_id - - log.id.uid - '::opcua_binary_activate_session_locale_id': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.local_id - - opcua.locale_link_id - - log.id.uid - '::opcua_binary_browse': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.service_type - - log.id.uid - '::opcua_binary_browse_description': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - '::opcua_binary_browse_response_references': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.node_class - - opcua.display_name_text - - log.id.uid - '::opcua_binary_browse_result': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.response_link_id - - log.id.uid - '::opcua_binary_create_session': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - log.id.uid - '::opcua_binary_create_session_endpoints': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_link_id - - opcua.endpoint_url - - log.id.uid - '::opcua_binary_create_session_user_token': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.user_token_link_id - - log.id.uid - '::opcua_binary_create_subscription': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - log.id.uid - '::opcua_binary_get_endpoints': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_url - - opcua.link_id - - log.id.uid - '::opcua_binary_get_endpoints_description': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_description_link_id - - opcua.endpoint_uri - - log.id.uid - '::opcua_binary_get_endpoints_user_token': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.user_token_link_id - - opcua.user_token_type - - log.id.uid - '::opcua_binary_read': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.read_results_link_id - - log.id.uid - '::opcua_binary_status_code_detail': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.info_type_string - - opcua.source_string - - log.id.uid - '::profinet': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - profinet.index - - profinet.operation_type - - log.id.uid - '::profinet_dce_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - profinet.operation - - log.id.uid - '::s7comm': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.ros.control.name - - s7.function.name - - log.id.uid - '::s7comm_plus': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.opcode.name - - s7.version - - log.id.uid - '::s7comm_read_szl': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.szl_id_name - - s7.return_code_name - - log.id.uid - '::s7comm_upload_download': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.ros.control.name - - s7.function_code - - log.id.uid - '::tds': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.command - - log.id.uid - - event.dataset - '::tds_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.procedure_name - - log.id.uid - - event.dataset - '::tds_sql_batch': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.header_type - - log.id.uid - - event.dataset queryBaseFilter: '' queryToggleFilters: - name: caseExcludeToggle diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 09f8c8926..1944aab41 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -50,3 +50,7 @@ {% do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %} {% do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %} {% do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %} + +{% set standard_eventFields = SOCMERGED.pop('eventFields') %} +{% do SOCMERGED.server.client.hunt.update({'eventFields': standard_eventFields}) %} +{% do SOCMERGED.server.client.dashboards.update({'eventFields': standard_eventFields}) %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 9c1fb5804..4ed5b3c26 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -43,6 +43,9 @@ soc: actions: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True + eventFields: + description: A map of event metadata groupings to field lists. The field list specifies all the columns to show when displaying individual events (not groups). The event metadata grouping uses the format ":event.module:event.dataset". + global: True server: maxPacketCount: description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser.