soc: logFilename: /opt/sensoroni/logs/sensoroni-server.log actions: - name: actionHunt description: actionHuntHelp icon: fa-crosshairs target: links: - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - name: actionCorrelate description: actionCorrelateHelp icon: fab fa-searchengin target: links: - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - name: actionPcap description: actionPcapHelp icon: fa-stream target: links: - '/joblookup?esid={:soc_id}&time={:@timestamp}' - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' categories: - hunt - alerts - name: actionCyberChef description: actionCyberChefHelp icon: fas fa-bread-slice target: _blank links: - '/cyberchef/#input={value|base64}' - name: actionGoogle description: actionGoogleHelp icon: fab fa-google target: _blank links: - 'https://www.google.com/search?q={value}' - name: actionVirusTotal description: actionVirusTotalHelp icon: fa-external-link-alt target: _blank links: - 'https://www.virustotal.com/gui/search/{value}' server: bindAddress: 0.0.0.0:9822 baseUrl: / maxPacketCount: 5000 htmlDir: html airgapEnabled: false modules: cases: soc filedatastore: jobDir: jobs kratos: hostUrl: elastic: hostUrl: remoteHostUrls: [] username: password: index: '*:so-*,*:endgame-*' cacheMs: 300000 verifyCert: false casesEnabled: true timeoutMs: 0 influxdb: hostUrl: token: '' org: '' bucket: telegraf verifyCert: false salt: saltPipe: /opt/sensoroni/salt.pipe sostatus: refreshIntervalMs: 30000 offlineThresholdMs: 900000 statickeyauth: anonymousCidr: apiKey: staticrbac: roleFiles: - rbac/permissions - rbac/roles - rbac/custom_roles userFiles: - rbac/users_roles client: docsUrl: https://docs.securityonion.net/en/2.3/ cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes apiTimeoutMs: 0 webSocketTimeoutMs: 0 tipTimeoutMs: 0 cacheExpirationMs: 0 casesEnabled: true inactiveTools: ['toolUnused'] tools: - name: toolKibana description: toolKibanaHelp icon: fa-external-link-alt target: so-kibana link: /kibana/ - name: toolElasticFleet description: toolElasticFleet icon: fa-external-link-alt target: so-elastic-fleet link: /kibana/app/fleet/agents - name: toolOsqueryManager description: toolOsqueryManager icon: fa-external-link-alt target: so-osquery-manager link: /kibana/app/osquery/live_queries - name: toolGrafana description: toolGrafanaHelp icon: fa-external-link-alt target: so-grafana link: /grafana/d/so_overview - name: toolCyberchef description: toolCyberchefHelp icon: fa-external-link-alt target: so-cyberchef link: /cyberchef/ - name: toolPlaybook description: toolPlaybookHelp icon: fa-external-link-alt target: so-playbook link: /playbook/projects/detection-playbooks/issues/ - name: toolFleet description: toolFleetHelp icon: fa-external-link-alt target: so-fleet link: /fleet/ - name: toolNavigator description: toolNavigatorHelp icon: fa-external-link-alt target: so-navigator link: /navigator/ hunt: advanced: true groupItemsPerPage: 10 groupFetchLimit: 10 eventItemsPerPage: 10 eventFetchLimit: 100 relativeTimeValue: 24 relativeTimeUnit: 30 mostRecentlyUsedLimit: 5 ackEnabled: false escalateEnabled: true escalateRelatedEventsEnabled: true eventFields: default: - soc_timestamp - source.ip - source.port - destination.ip - destination.port - log.id.uid - network.community_id - event.dataset ':kratos:audit': - soc_timestamp - http_request.headers.x-real-ip - identity_id - http_request.headers.user-agent '::conn': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - network.transport - network.protocol - log.id.uid - network.community_id '::dce_rpc': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - dce_rpc.endpoint - dce_rpc.named_pipe - dce_rpc.operation - log.id.uid '::dhcp': - soc_timestamp - client.address - server.address - host.domain - host.hostname - dhcp.message_types - log.id.uid '::dnp3': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - dnp3.fc_reply - log.id.uid '::dns': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - network.transport - dns.query.name - dns.query.type_name - dns.response.code_name - log.id.uid - network.community_id '::dpd': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - network.protocol - observer.analyser - error.reason - log.id.uid '::file': - soc_timestamp - source.ip - destination.ip - file.name - file.mime_type - file.source - file.bytes.total - log.id.fuid - log.id.uid '::ftp': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - ftp.user - ftp.command - ftp.argument - ftp.reply_code - file.size - log.id.uid '::http': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - http.method - http.virtual_host - http.status_code - http.status_message - http.request.body.length - http.response.body.length - log.id.uid - network.community_id '::intel': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - intel.indicator - intel.indicator_type - intel.seen_where - log.id.uid '::irc': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - irc.username - irc.nickname - irc.command.type - irc.command.value - irc.command.info - log.id.uid '::kerberos': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - kerberos.client - kerberos.service - kerberos.request_type - log.id.uid '::modbus': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - modbus.function - log.id.uid '::mysql': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - mysql.command - mysql.argument - mysql.success - mysql.response - log.id.uid '::notice': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - notice.note - notice.message - log.id.fuid - log.id.uid - network.community_id '::ntlm': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - ntlm.name - ntlm.success - ntlm.server.dns.name - ntlm.server.nb.name - ntlm.server.tree.name - log.id.uid '::pe': - soc_timestamp - file.is_64bit - file.is_exe - file.machine - file.os - file.subsystem - log.id.fuid '::radius': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - log.id.uid - username - radius.framed_address - radius.reply_message - radius.result '::rdp': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - rdp.client_build - client_name - rdp.cookie - rdp.encryption_level - rdp.encryption_method - rdp.keyboard_layout - rdp.result - rdp.security_protocol - log.id.uid '::rfb': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - rfb.authentication.method - rfb.authentication.success - rfb.share_flag - rfb.desktop.name - log.id.uid '::signatures': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - note - signature_id - event_message - sub_message - signature_count - host.count - log.id.uid '::sip': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - sip.method - sip.uri - sip.request.from - sip.request.to - sip.response.from - sip.response.to - sip.call_id - sip.subject - sip.user_agent - sip.status_code - log.id.uid '::smb_files': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - log.id.fuid - file.action - file.path - file.name - file.size - file.prev_name - log.id.uid '::smb_mapping': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - smb.path - smb.service - smb.share_type - log.id.uid '::smtp': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - smtp.from - smtp.recipient_to - smtp.subject - smtp.useragent - log.id.uid - network.community_id '::snmp': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - snmp.community - snmp.version - log.id.uid '::socks': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - socks.name - socks.request.host - socks.request.port - socks.status - log.id.uid '::software': - soc_timestamp - source.ip - software.name - software.type '::ssh': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - ssh.version - ssh.hassh_version - ssh.direction - ssh.client - ssh.server - log.id.uid '::ssl': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - ssl.server_name - ssl.certificate.subject - ssl.validation_status - ssl.version - log.id.uid ':zeek:syslog': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - syslog.facility - network.protocol - syslog.severity - log.id.uid '::tunnels': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - tunnel_type - action - log.id.uid '::weird': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - weird.name - log.id.uid '::x509': - soc_timestamp - x509.certificate.subject - x509.certificate.key.type - x509.certificate.key.length - x509.certificate.issuer - log.id.fuid '::firewall': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - network.transport - network.direction - interface.name - rule.action - rule.reason - network.community_id ':osquery:': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - source.hostname - event.dataset - process.executable - user.name ':ossec:': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - rule.name - rule.level - rule.category - process.name - user.name - user.escalated - location ':strelka:file': - soc_timestamp - file.name - file.size - hash.md5 - file.source - file.mime_type - log.id.fuid ':suricata:': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - rule.name - rule.category - event.severity_label - log.id.uid - network.community_id ':sysmon:': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - source.hostname - event.dataset - process.executable - user.name ':windows_eventlog:': - soc_timestamp - user.name ':elasticsearch:': - soc_timestamp - agent.name - message - log.level - metadata.version - metadata.pipeline - event.dataset ':kibana:': - soc_timestamp - host.name - message - kibana.log.meta.req.headers.x-real-ip - event.dataset '::rootcheck': - soc_timestamp - host.name - metadata.ip_address - log.full - event.dataset - event.module '::ossec': - soc_timestamp - host.name - metadata.ip_address - log.full - event.dataset - event.module '::syscollector': - soc_timestamp - host.name - metadata.ip_address - wazuh.data.type - log.full - event.dataset - event.module ':syslog:syslog': - soc_timestamp - host.name - metadata.ip_address - real_message - syslog.priority - syslog.application ':aws:': - soc_timestamp - aws.cloudtrail.event_category - aws.cloudtrail.event_type - event.provider - event.action - event.outcome - cloud.region - user.name - source.ip - source.geo.region_iso_code ':squid:': - soc_timestamp - url.original - destination.ip - destination.geo.country_iso_code - user.name - source.ip queryBaseFilter: queryToggleFilters: - name: caseExcludeToggle filter: NOT _index:\"*:so-case*\" enabled: true queries: - name: Default Query description: Show all events grouped by the origin host query: '* | groupby observer.name' - name: Log Type description: Show all events grouped by module and dataset query: '* | groupby event.module event.dataset' - name: SOC Auth description: Users authenticated to SOC grouped by IP address and identity query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' - name: Elastalerts description: '' query: '_type:elastalert | groupby rule.name' - name: Alerts description: Show all alerts grouped by alert source query: 'event.dataset: alert | groupby event.module' - name: NIDS Alerts description: Show all NIDS alerts grouped by alert query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' - name: Wazuh/OSSEC Alerts description: Show all Wazuh alerts at Level 5 or higher grouped by category query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' - name: Wazuh/OSSEC Alerts description: Show all Wazuh alerts at Level 4 or lower grouped by category query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' - name: Wazuh/OSSEC Users and Commands description: Show all Wazuh alerts grouped by username and command line query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' - name: Wazuh/OSSEC Processes description: Show all Wazuh alerts grouped by process name query: 'event.module:ossec AND event.dataset:alert | groupby process.name' - name: Sysmon Events description: Show all Sysmon logs grouped by event type query: 'event.module:sysmon | groupby event.dataset' - name: Sysmon Usernames description: Show all Sysmon logs grouped by username query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' - name: Strelka description: Show all Strelka logs grouped by file type query: 'event.module:strelka | groupby file.mime_type' - name: Zeek Notice description: Show notices from Zeek query: 'event.dataset:notice | groupby notice.note notice.message' - name: Connections description: Connections grouped by IP and Port query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' - name: Connections description: Connections grouped by Service query: 'event.dataset:conn | groupby network.protocol destination.port' - name: Connections description: Connections grouped by destination country query: 'event.dataset:conn | groupby destination.geo.country_name' - name: Connections description: Connections grouped by source country query: 'event.dataset:conn | groupby source.geo.country_name' - name: DCE_RPC description: DCE_RPC grouped by operation query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' - name: DHCP description: DHCP leases query: 'event.dataset:dhcp | groupby host.hostname client.address' - name: DHCP description: DHCP grouped by message type query: 'event.dataset:dhcp | groupby dhcp.message_types' - name: DNP3 description: DNP3 grouped by reply query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' - name: DNS description: DNS queries grouped by port query: 'event.dataset:dns | groupby dns.query.name destination.port' - name: DNS description: DNS queries grouped by type query: 'event.dataset:dns | groupby dns.query.type_name destination.port' - name: DNS description: DNS queries grouped by response code query: 'event.dataset:dns | groupby dns.response.code_name destination.port' - name: DNS description: DNS highest registered domain query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' - name: DNS description: DNS grouped by parent domain query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' - name: DPD description: Dynamic Protocol Detection errors query: 'event.dataset:dpd | groupby error.reason' - name: Files description: Files grouped by mimetype query: 'event.dataset:file | groupby file.mime_type source.ip' - name: Files description: Files grouped by source query: 'event.dataset:file | groupby file.source source.ip' - name: FTP description: FTP grouped by command and argument query: 'event.dataset:ftp | groupby ftp.command ftp.argument' - name: FTP description: FTP grouped by username and argument query: 'event.dataset:ftp | groupby ftp.user ftp.argument' - name: HTTP description: HTTP grouped by destination port query: 'event.dataset:http | groupby destination.port' - name: HTTP description: HTTP grouped by status code and message query: 'event.dataset:http | groupby http.status_code http.status_message' - name: HTTP description: HTTP grouped by method and user agent query: 'event.dataset:http | groupby http.method http.useragent' - name: HTTP description: HTTP grouped by virtual host query: 'event.dataset:http | groupby http.virtual_host' - name: HTTP description: HTTP with exe downloads query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' - name: Intel description: Intel framework hits grouped by indicator query: 'event.dataset:intel | groupby intel.indicator.keyword' - name: IRC description: IRC grouped by command query: 'event.dataset:irc | groupby irc.command.type' - name: KERBEROS description: KERBEROS grouped by service query: 'event.dataset:kerberos | groupby kerberos.service' - name: MODBUS description: MODBUS grouped by function query: 'event.dataset:modbus | groupby modbus.function' - name: MYSQL description: MYSQL grouped by command query: 'event.dataset:mysql | groupby mysql.command' - name: NOTICE description: Zeek notice logs grouped by note and message query: 'event.dataset:notice | groupby notice.note notice.message' - name: NTLM description: NTLM grouped by computer name query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' - name: Osquery Live Queries description: Osquery Live Query results grouped by computer name query: 'event.dataset:live_query | groupby host.hostname' - name: PE description: PE files list query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' - name: RADIUS description: RADIUS grouped by username query: 'event.dataset:radius | groupby user.name.keyword' - name: RDP description: RDP grouped by client name query: 'event.dataset:rdp | groupby client.name' - name: RFB description: RFB grouped by desktop name query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' - name: Signatures description: Zeek signatures grouped by signature id query: 'event.dataset:signatures | groupby signature_id' - name: SIP description: SIP grouped by user agent query: 'event.dataset:sip | groupby client.user_agent' - name: SMB_Files description: SMB files grouped by action query: 'event.dataset:smb_files | groupby file.action' - name: SMB_Mapping description: SMB mapping grouped by path query: 'event.dataset:smb_mapping | groupby smb.path' - name: SMTP description: SMTP grouped by subject query: 'event.dataset:smtp | groupby smtp.subject' - name: SNMP description: SNMP grouped by version and string query: 'event.dataset:snmp | groupby snmp.community snmp.version' - name: Software description: List of software seen on the network query: 'event.dataset:software | groupby software.type software.name' - name: SSH description: SSH grouped by version and client query: 'event.dataset:ssh | groupby ssh.version ssh.client' - name: SSL description: SSL grouped by version and server name query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' - name: SYSLOG description: 'SYSLOG grouped by severity and facility ' query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' - name: Tunnel description: Tunnels grouped by type and action query: 'event.dataset:tunnel | groupby tunnel.type event.action' - name: Weird description: Zeek weird log grouped by name query: 'event.dataset:weird | groupby weird.name' - name: x509 description: x.509 grouped by key length and name query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' - name: x509 description: x.509 grouped by name and issuer query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' - name: x509 description: x.509 grouped by name and subject query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' - name: Firewall description: Firewall events grouped by action query: 'event.dataset:firewall | groupby rule.action' dashboards: advanced: true groupItemsPerPage: 10 groupFetchLimit: 10 eventItemsPerPage: 10 eventFetchLimit: 100 relativeTimeValue: 24 relativeTimeUnit: 30 mostRecentlyUsedLimit: 0 ackEnabled: false escalateEnabled: true escalateRelatedEventsEnabled: true aggregationActionsEnabled: false eventFields: default: - soc_timestamp - source.ip - source.port - destination.ip - destination.port - log.id.uid - network.community_id - event.dataset ':kratos:audit': - soc_timestamp - http_request.headers.x-real-ip - identity_id - http_request.headers.user-agent '::conn': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - network.transport - network.protocol - log.id.uid - network.community_id '::dce_rpc': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - dce_rpc.endpoint - dce_rpc.named_pipe - dce_rpc.operation - log.id.uid '::dhcp': - soc_timestamp - client.address - server.address - host.domain - host.hostname - dhcp.message_types - log.id.uid '::dnp3': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - dnp3.fc_reply - log.id.uid '::dns': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - network.transport - dns.query.name - dns.query.type_name - dns.response.code_name - log.id.uid - network.community_id '::dpd': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - network.protocol - observer.analyser - error.reason - log.id.uid '::file': - soc_timestamp - source.ip - destination.ip - file.name - file.mime_type - file.source - file.bytes.total - log.id.fuid - log.id.uid '::ftp': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - ftp.user - ftp.command - ftp.argument - ftp.reply_code - file.size - log.id.uid '::http': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - http.method - http.virtual_host - http.status_code - http.status_message - http.request.body.length - http.response.body.length - log.id.uid - network.community_id '::intel': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - intel.indicator - intel.indicator_type - intel.seen_where - log.id.uid '::irc': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - irc.username - irc.nickname - irc.command.type - irc.command.value - irc.command.info - log.id.uid '::kerberos': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - kerberos.client - kerberos.service - kerberos.request_type - log.id.uid '::modbus': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - modbus.function - log.id.uid '::mysql': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - mysql.command - mysql.argument - mysql.success - mysql.response - log.id.uid '::notice': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - notice.note - notice.message - log.id.fuid - log.id.uid - network.community_id '::ntlm': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - ntlm.name - ntlm.success - ntlm.server.dns.name - ntlm.server.nb.name - ntlm.server.tree.name - log.id.uid '::pe': - soc_timestamp - file.is_64bit - file.is_exe - file.machine - file.os - file.subsystem - log.id.fuid '::radius': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - log.id.uid - username - radius.framed_address - radius.reply_message - radius.result '::rdp': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - rdp.client_build - client_name - rdp.cookie - rdp.encryption_level - rdp.encryption_method - rdp.keyboard_layout - rdp.result - rdp.security_protocol - log.id.uid '::rfb': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - rfb.authentication.method - rfb.authentication.success - rfb.share_flag - rfb.desktop.name - log.id.uid '::signatures': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - note - signature_id - event_message - sub_message - signature_count - host.count - log.id.uid '::sip': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - sip.method - sip.uri - sip.request.from - sip.request.to - sip.response.from - sip.response.to - sip.call_id - sip.subject - sip.user_agent - sip.status_code - log.id.uid '::smb_files': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - log.id.fuid - file.action - file.path - file.name - file.size - file.prev_name - log.id.uid '::smb_mapping': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - smb.path - smb.service - smb.share_type - log.id.uid '::smtp': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - smtp.from - smtp.recipient_to - smtp.subject - smtp.useragent - log.id.uid - network.community_id '::snmp': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - snmp.community - snmp.version - log.id.uid '::socks': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - socks.name - socks.request.host - socks.request.port - socks.status - log.id.uid '::software': - soc_timestamp - source.ip - software.name - software.type '::ssh': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - ssh.version - ssh.hassh_version - ssh.direction - ssh.client - ssh.server - log.id.uid '::ssl': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - ssl.server_name - ssl.certificate.subject - ssl.validation_status - ssl.version - log.id.uid ':zeek:syslog': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - syslog.facility - network.protocol - syslog.severity - log.id.uid '::tunnels': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - tunnel_type - action - log.id.uid '::weird': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - weird.name - log.id.uid '::x509': - soc_timestamp - x509.certificate.subject - x509.certificate.key.type - x509.certificate.key.length - x509.certificate.issuer - log.id.fuid '::firewall': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - network.transport - network.direction - interface.name - rule.action - rule.reason - network.community_id ':osquery:': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - source.hostname - event.dataset - process.executable - user.name ':ossec:': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - rule.name - rule.level - rule.category - process.name - user.name - user.escalated - location ':strelka:file': - soc_timestamp - file.name - file.size - hash.md5 - file.source - file.mime_type - log.id.fuid ':suricata:': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - rule.name - rule.category - event.severity_label - log.id.uid - network.community_id ':sysmon:': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - source.hostname - event.dataset - process.executable - user.name ':windows_eventlog:': - soc_timestamp - user.name ':elasticsearch:': - soc_timestamp - agent.name - message - log.level - metadata.version - metadata.pipeline - event.dataset ':kibana:': - soc_timestamp - host.name - message - kibana.log.meta.req.headers.x-real-ip - event.dataset '::rootcheck': - soc_timestamp - host.name - metadata.ip_address - log.full - event.dataset - event.module '::ossec': - soc_timestamp - host.name - metadata.ip_address - log.full - event.dataset - event.module '::syscollector': - soc_timestamp - host.name - metadata.ip_address - wazuh.data.type - log.full - event.dataset - event.module ':syslog:syslog': - soc_timestamp - host.name - metadata.ip_address - real_message - syslog.priority - syslog.application ':aws:': - soc_timestamp - aws.cloudtrail.event_category - aws.cloudtrail.event_type - event.provider - event.action - event.outcome - cloud.region - user.name - source.ip - source.geo.region_iso_code ':squid:': - soc_timestamp - url.original - destination.ip - destination.geo.country_iso_code - user.name - source.ip queryBaseFilter: queryToggleFilters: - name: caseExcludeToggle, filter: 'NOT _index:"*:so-case*"' enabled: true queries: - name: Overview description: Overview of all events query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SOC Auth description: Show all SOC authentication logs query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' - name: Elastalerts description: Elastalert logs query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' - name: Alerts description: Show all alerts query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port' - name: NIDS Alerts description: NIDS alerts query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Wazuh/OSSEC description: Wazuh/OSSEC HIDS alerts and logs query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full' - name: Sysmon description: Sysmon logs query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line' - name: Strelka description: Strelka logs query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source' - name: Zeek Notice description: Zeek Notice logs query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Connections description: Connection logs query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes' - name: DCE_RPC description: DCE_RPC logs query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port' - name: DHCP description: Dynamic Host Configuration Protocol leases query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address' - name: DNP3 description: DNP3 logs query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port' - name: DNS description: Domain Name System queries query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: DPD description: Dynamic Protocol Detection errors query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' - name: Files description: Files seen in network traffic query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip' - name: FTP description: File Transfer Protocol logs query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port' - name: HTTP description: Hyper Text Transport Protocol logs query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Intel description: Zeek Intel framework hits query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' - name: IRC description: Internet Relay Chat logs query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Kerberos description: Kerberos logs query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' - name: MODBUS description: MODBUS logs query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' - name: MYSQL description: MYSQL logs query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' - name: NOTICE description: Zeek notice logs query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' - name: NTLM description: NTLM logs query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Osquery Live Queries description: Osquery Live Query results query: 'event.dataset:live_query | groupby host.hostname' - name: PE description: PE files list query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' - name: RADIUS description: RADIUS logs query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' - name: RDP description: RDP logs query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: RFB description: RFB logs query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Signatures description: Zeek signatures query: 'event.dataset:signatures | groupby signature_id' - name: SIP description: SIP logs query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMB_Files description: SMB files query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMB_Mapping description: SMB mapping logs query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMTP description: SMTP logs query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SNMP description: SNMP logs query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Software description: List of software seen on the network by Zeek query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip' - name: SSH description: SSH connections seen by Zeek query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SSL description: SSL logs query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SYSLOG description: SYSLOG logs query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Tunnel description: Tunnels seen by Zeek query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Weird description: Weird network traffic seen by Zeek query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port ' - name: x509 description: x.509 certificates seen by Zeek query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer' - name: Firewall description: Firewall logs query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' job: alerts: advanced: false groupItemsPerPage: 50 groupFetchLimit: 500 eventItemsPerPage: 50 eventFetchLimit: 500 relativeTimeValue: 24 relativeTimeUnit: 30 mostRecentlyUsedLimit: 5 ackEnabled: true escalateEnabled: true escalateRelatedEventsEnabled: true eventfields: default: - soc_timestamp - rule.name - event.severity_label - source.ip - source.port - destination.ip - destination.port - rule.gid - rule.uuid - rule.category - rule.rev ':ossec:': - soc_timestamp - rule.name - event.severity_label - source.ip - source.port - destination.ip - destination.port - rule.level - rule.category - process.name - user.name - user.escalated - location - process.name queryBaseFilter: event.dataset:alert queryToggleFilters: - name: acknowledged filter: event.acknowledged:true enabled: false exclusive: true - name: escalated filter: event.escalated:true enabled: false exclusive: true enablesToggles: - acknowledged queries: - name: 'Group By Name, Module' query: '* | groupby rule.name event.module event.severity_label' - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' - name: 'Group By Source IP, Name' query: '* | groupby source.ip rule.name event.severity_label' - name: 'Group By Source Port, Name' query: '* | groupby source.port rule.name event.severity_label' - name: 'Group By Destination IP, Name' query: '* | groupby destination.ip rule.name event.severity_label' - name: 'Group By Destination Port, Name' query: '* | groupby destination.port rule.name event.severity_label' - name: Ungroup query: '*' cases: advanced: false groupItemsPerPage: 50 groupFetchLimit: 100 eventItemsPerPage: 50 eventFetchLimit: 500 relativeTimeValue: 12 relativeTimeUnit: 60 mostRecentlyUsedLimit: 5 ackEnabled: false escalateEnabled: false escalateRelatedEventsEnabled: false viewEnabled: true createLink: /case/create eventFields: default: - soc_timestamp - so_case.title - so_case.status - so_case.severity - so_case.assigneeId - so_case.createTime queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' queryToggleFilters: [] queries: - name: Open Cases query: 'NOT so_case.status:closed AND NOT so_case.category:template' - name: Closed Cases query: 'so_case.status:closed AND NOT so_case.category:template' - name: My Open Cases query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' - name: My Closed Cases query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' - name: Templates query: 'so_case.category:template' case: mostRecentlyUsedLimit: 5 renderAbbreviatedCount: 30 presets: artifactType: labels: - autonomous-system - domain - file - filename - fqdn - hash - ip - mail - mail_subject - other - regexp - registry - uri_path - url - user-agent customEnabled: true category: labels: - general - template customEnabled: true pap: labels: - white - green - amber - red customEnabled: false severity: labels: - low - medium - high - critical customEnabled: false status: labels: - new - in progress - closed customEnabled: false tags: labels: - false-positive - confirmed - pending customEnabled: true tlp: labels: - white - green - amber - red customEnabled: false