CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9452 from Security-Onion-Solutions/feature/improve-dashboards-2.3

Browse Source 
FEATURE: Improve SOC Dashboards #9450 2.3
This commit is contained in:
Doug Burks
2022-12-21 15:46:21 -05:00
committed by GitHub
parent fe6a55b58e 3e1a5b6329
commit ff4850d9ce
1 changed files with 37 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
salt/soc/files/soc/dashboards.queries.json
View File

@@ -1,9 +1,9 @@
[
{ "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SOC Auth", "description": "SOC (Security Onion Console) authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"},
{ "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "SOC Auth", "description": "SOC (Security Onion Console) authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"},
{ "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"},
{ "name": "Alerts", "description": "Overview of all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Alerts", "description": "Overview of all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"},
{ "name": "Sysmon Overview", "description": "Overview of all Sysmon data types", "query": "event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Sysmon Registry", "description": "Registry changes captured by Sysmon", "query": "(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject"},
@@ -11,43 +11,43 @@
{ "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"},
{ "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"},
{ "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "Strelka", "description": "Strelka file analysis", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"},
{ "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"},
{ "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"},
{ "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"},
{ "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"},
{ "name": "FTP", "description": "FTP (File Transfer Protocol) network metadata", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "HTTP", "description": "HTTP (Hyper Text Transport Protocol) network metadata", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "IRC", "description": "IRC (Internet Relay Chat) network metadata", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Kerberos", "description": "Kerberos network metadata", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "MySQL", "description": "MySQL network metadata", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NTLM", "description": "NTLM (New Technology LAN Manager) network metadata", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Strelka", "description": "Strelka file analysis", "query": "event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name"},
{ "name": "Zeek Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "Connections", "description": "Network connection metadata", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui"},
{ "name": "DCE_RPC", "description": "DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata", "query": "event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "DHCP", "description": "DHCP (Dynamic Host Configuration Protocol) leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address"},
{ "name": "DNS", "description": "DNS (Domain Name System) queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "DPD", "description": "DPD (Dynamic Protocol Detection) errors", "query": "event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name"},
{ "name": "FTP", "description": "FTP (File Transfer Protocol) network metadata", "query": "event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "HTTP", "description": "HTTP (Hyper Text Transport Protocol) network metadata", "query": "event.dataset:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "IRC", "description": "IRC (Internet Relay Chat) network metadata", "query": "event.dataset:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "Kerberos", "description": "Kerberos network metadata", "query": "event.dataset:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "MySQL", "description": "MySQL network metadata", "query": "event.dataset:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "NTLM", "description": "NTLM (New Technology LAN Manager) network metadata", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"},
{ "name": "PE", "description": "PE (Portable Executable) files transferred via network traffic", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"},
{ "name": "RADIUS", "description": "RADIUS (Remote Authentication Dial-In User Service) network metadata", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "RDP", "description": "RDP (Remote Desktop Protocol) network metadata", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "RFB", "description": "RFB (Remote Frame Buffer) network metadata", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "PE", "description": "PE (Portable Executable) files transferred via network traffic", "query": "event.dataset:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"},
{ "name": "RADIUS", "description": "RADIUS (Remote Authentication Dial-In User Service) network metadata", "query": "event.dataset:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "RDP", "description": "RDP (Remote Desktop Protocol) network metadata", "query": "event.dataset:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "RFB", "description": "RFB (Remote Frame Buffer) network metadata", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"},
{ "name": "SIP", "description": "SIP (Session Initiation Protocol) network metadata", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMB_Files", "description": "Files transferred via SMB (Server Message Block)", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMB_Mapping", "description": "SMB (Server Message Block) mapping network metadata", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMTP", "description": "SMTP (Simple Mail Transfer Protocol) network metadata", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SNMP", "description": "SNMP (Simple Network Management Protocol) network metadata", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Software", "description": "Software seen by Zeek via network traffic", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"},
{ "name": "SSH", "description": "SSH (Secure Shell) connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SIP", "description": "SIP (Session Initiation Protocol) network metadata", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "SMB_Files", "description": "Files transferred via SMB (Server Message Block)", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMB_Mapping", "description": "SMB (Server Message Block) mapping network metadata", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMTP", "description": "SMTP (Simple Mail Transfer Protocol) network metadata", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "SNMP", "description": "SNMP (Simple Network Management Protocol) network metadata", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Software", "description": "Software seen by Zeek via network traffic", "query": "event.dataset:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip"},
{ "name": "SSH", "description": "SSH (Secure Shell) connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject"},
{ "name": "STUN", "description": "STUN (Session Traversal Utilities for NAT) network metadata", "query": "event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset"},
{ "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"},
{ "name": "TDS", "description": "TDS (Tabular Data Stream) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query"},
{ "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "},
{ "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name"},
{ "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
{ "name": "WireGuard", "description": "WireGuard VPN network metadata", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"},
{ "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"},
{ "name": "ICS Overview", "description": "Overview of ICS (Industrial Control Systems) network metadata", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"},
{ "name": "ICS BACnet", "description": "BACnet (Building Automation and Control Networks) network metadata", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS BSAP", "description": "BSAP (Bristol Standard Asynchronous Protocol) network metadata", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
@@ -60,5 +60,5 @@
{ "name": "ICS OPC UA", "description": "OPC UA (Unified Architecture) network metadata", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS Profinet", "description": "Profinet (Process Field Network) network metadata", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS S7", "description": "S7 (Siemens) network metadata", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}
{ "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}
]