CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-24 09:53:12 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2bd9dd80e2e245be99b72e790cbc9c3aaa84bd63
securityonion/salt/soc/defaults.yaml
Mike Reeves 2bd9dd80e2 Move In Day
2022-09-07 09:06:25 -04:00

1154 lines
38 KiB
YAML
Raw Blame History

soc:
logFilename: /opt/sensoroni/logs/sensoroni-server.log
server:
bindAddress: 0.0.0.0:9822
baseUrl: /
maxPacketCount: 5000
htmlDir: html
airgapEnabled: false
modules:
cases: soc
filedatastore:
jobDir: jobs
kratos:
hostUrl:
elastic:
hostUrl:
remoteHostUrls: []
username:
password:
index: '*:so-*'
cacheMs: 300000
verifyCert: false
casesEnabled: true
timeoutMs: 0
influxdb:
hostUrl:
token: ''
org: ''
bucket: telegraf
verifyCert: false
sostatus:
refreshIntervalMs: 30000
offlineThresholdMs: 900000
statickeyauth:
anonymousCidr:
apiKey:
staticrbac:
roleFiles:
- rbac/permissions
- rbac/roles
- rbac/custom_roles
userFiles:
- rbac/users_roles
client:
docsUrl: https://docs.securityonion.net/en/2.3/
cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf
releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes
apiTimeoutMs: 0
webSocketTimeoutMs: 0
tipTimeoutMs: 0
cacheExpirationMs: 0
casesEnabled: true
inactiveTools: ['toolUnused']
tools:
- name: toolKibana
description: toolKibanaHelp
icon: fa-external-link-alt
target: so-kibana
link: /kibana/
- name: toolGrafana
description: toolGrafanaHelp
icon: fa-external-link-alt
target: so-grafana
link: /grafana/d/so_overview
- name: toolCyberchef
description: toolCyberchefHelp
icon: fa-external-link-alt
target: so-cyberchef
link: /cyberchef/
- name: toolPlaybook
description: toolPlaybookHelp
icon: fa-external-link-alt
target: so-playbook
link: /playbook/projects/detection-playbooks/issues/
- name: toolFleet
description: toolFleetHelp
icon: fa-external-link-alt
target: so-fleet
link: /fleet/
- name: toolNavigator
description: toolNavigatorHelp
icon: fa-external-link-alt
target: so-navigator
link: /navigator/
hunt:
advanced: true
groupItemsPerPage: 10
groupFetchLimit: 10
eventItemsPerPage: 10
eventFetchLimit: 100
relativeTimeValue: 24
relativeTimeUnit: 30
mostRecentlyUsedLimit: 5
ackEnabled: false
escalateEnabled: true
escalateRelatedEventsEnabled: true
eventFields:
default:
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
- network.community_id
- event.dataset
':kratos:audit':
- soc_timestamp
- http_request.headers.x-real-ip
- identity_id
- http_request.headers.user-agent
'::conn':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- network.protocol
- log.id.uid
- network.community_id
'::dce_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dce_rpc.endpoint
- dce_rpc.named_pipe
- dce_rpc.operation
- log.id.uid
'::dhcp':
- soc_timestamp
- client.address
- server.address
- host.domain
- host.hostname
- dhcp.message_types
- log.id.uid
'::dnp3':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.fc_reply
- log.id.uid
'::dns':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- dns.query.name
- dns.query.type_name
- dns.response.code_name
- log.id.uid
- network.community_id
'::dpd':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.protocol
- observer.analyser
- error.reason
- log.id.uid
'::file':
- soc_timestamp
- source.ip
- destination.ip
- file.name
- file.mime_type
- file.source
- file.bytes.total
- log.id.fuid
- log.id.uid
'::ftp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ftp.user
- ftp.command
- ftp.argument
- ftp.reply_code
- file.size
- log.id.uid
'::http':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- http.method
- http.virtual_host
- http.status_code
- http.status_message
- http.request.body.length
- http.response.body.length
- log.id.uid
- network.community_id
'::intel':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- intel.indicator
- intel.indicator_type
- intel.seen_where
- log.id.uid
'::irc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- irc.username
- irc.nickname
- irc.command.type
- irc.command.value
- irc.command.info
- log.id.uid
'::kerberos':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- kerberos.client
- kerberos.service
- kerberos.request_type
- log.id.uid
'::modbus':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- modbus.function
- log.id.uid
'::mysql':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- mysql.command
- mysql.argument
- mysql.success
- mysql.response
- log.id.uid
'::notice':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- notice.note
- notice.message
- log.id.fuid
- log.id.uid
- network.community_id
'::ntlm':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ntlm.name
- ntlm.success
- ntlm.server.dns.name
- ntlm.server.nb.name
- ntlm.server.tree.name
- log.id.uid
'::pe':
- soc_timestamp
- file.is_64bit
- file.is_exe
- file.machine
- file.os
- file.subsystem
- log.id.fuid
'::radius':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
- username
- radius.framed_address
- radius.reply_message
- radius.result
'::rdp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rdp.client_build
- client_name
- rdp.cookie
- rdp.encryption_level
- rdp.encryption_method
- rdp.keyboard_layout
- rdp.result
- rdp.security_protocol
- log.id.uid
'::rfb':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rfb.authentication.method
- rfb.authentication.success
- rfb.share_flag
- rfb.desktop.name
- log.id.uid
'::signatures':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- note
- signature_id
- event_message
- sub_message
- signature_count
- host.count
- log.id.uid
'::sip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- sip.method
- sip.uri
- sip.request.from
- sip.request.to
- sip.response.from
- sip.response.to
- sip.call_id
- sip.subject
- sip.user_agent
- sip.status_code
- log.id.uid
'::smb_files':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.fuid
- file.action
- file.path
- file.name
- file.size
- file.prev_name
- log.id.uid
'::smb_mapping':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- smb.path
- smb.service
- smb.share_type
- log.id.uid
'::smtp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- smtp.from
- smtp.recipient_to
- smtp.subject
- smtp.useragent
- log.id.uid
- network.community_id
'::snmp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- snmp.community
- snmp.version
- log.id.uid
'::socks':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- socks.name
- socks.request.host
- socks.request.port
- socks.status
- log.id.uid
'::software':
- soc_timestamp
- source.ip
- software.name
- software.type
'::ssh':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ssh.version
- ssh.hassh_version
- ssh.direction
- ssh.client
- ssh.server
- log.id.uid
'::ssl':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ssl.server_name
- ssl.certificate.subject
- ssl.validation_status
- ssl.version
- log.id.uid
':zeek:syslog':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- syslog.facility
- network.protocol
- syslog.severity
- log.id.uid
'::tunnels':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tunnel_type
- action
- log.id.uid
'::weird':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- weird.name
- log.id.uid
'::x509':
- soc_timestamp
- x509.certificate.subject
- x509.certificate.key.type
- x509.certificate.key.length
- x509.certificate.issuer
- log.id.fuid
'::firewall':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- network.direction
- interface.name
- rule.action
- rule.reason
- network.community_id
':osquery:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- event.dataset
- process.executable
- user.name
':ossec:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rule.name
- rule.level
- rule.category
- process.name
- user.name
- user.escalated
- location
':strelka:file':
- soc_timestamp
- file.name
- file.size
- hash.md5
- file.source
- file.mime_type
- log.id.fuid
':suricata:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rule.name
- rule.category
- event.severity_label
- log.id.uid
- network.community_id
':sysmon:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- event.dataset
- process.executable
- user.name
':windows_eventlog:':
- soc_timestamp
- user.name
':elasticsearch:':
- soc_timestamp
- agent.name
- message
- log.level
- metadata.version
- metadata.pipeline
- event.dataset
':kibana:':
- soc_timestamp
- host.name
- message
- kibana.log.meta.req.headers.x-real-ip
- event.dataset
'::rootcheck':
- soc_timestamp
- host.name
- metadata.ip_address
- log.full
- event.dataset
- event.module
'::ossec':
- soc_timestamp
- host.name
- metadata.ip_address
- log.full
- event.dataset
- event.module
'::syscollector':
- soc_timestamp
- host.name
- metadata.ip_address
- wazuh.data.type
- log.full
- event.dataset
- event.module
':syslog:syslog':
- soc_timestamp
- host.name
- metadata.ip_address
- real_message
- syslog.priority
- syslog.application
':aws:':
- soc_timestamp
- aws.cloudtrail.event_category
- aws.cloudtrail.event_type
- event.provider
- event.action
- event.outcome
- cloud.region
- user.name
- source.ip
- source.geo.region_iso_code
':squid:':
- soc_timestamp
- url.original
- destination.ip
- destination.geo.country_iso_code
- user.name
- source.ip
queryBaseFilter:
queryToggleFilters:
- name: caseExcludeToggle
filter: NOT _index:\"*:so-case*\"
enabled: true
queries:
- name: Default Query
description: Show all events grouped by the origin host
query: '* | groupby observer.name'
- name: Log Type
description: Show all events grouped by module and dataset
query: '* | groupby event.module event.dataset'
- name: SOC Auth
description: Users authenticated to SOC grouped by IP address and identity
query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id'
- name: Elastalerts
description: ''
query: '_type:elastalert | groupby rule.name'
- name: Alerts
description: Show all alerts grouped by alert source
query: 'event.dataset: alert | groupby event.module'
- name: NIDS Alerts
description: Show all NIDS alerts grouped by alert
query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name'
- name: Wazuh/OSSEC Alerts
description: Show all Wazuh alerts at Level 5 or higher grouped by category
query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name'
- name: Wazuh/OSSEC Alerts
description: Show all Wazuh alerts at Level 4 or lower grouped by category
query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name'
- name: Wazuh/OSSEC Users and Commands
description: Show all Wazuh alerts grouped by username and command line
query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line'
- name: Wazuh/OSSEC Processes
description: Show all Wazuh alerts grouped by process name
query: 'event.module:ossec AND event.dataset:alert | groupby process.name'
- name: Sysmon Events
description: Show all Sysmon logs grouped by event type
query: 'event.module:sysmon | groupby event.dataset'
- name: Sysmon Usernames
description: Show all Sysmon logs grouped by username
query: 'event.module:sysmon | groupby event.dataset, user.name.keyword'
- name: Strelka
description: Show all Strelka logs grouped by file type
query: 'event.module:strelka | groupby file.mime_type'
- name: Zeek Notice
description: Show notices from Zeek
query: 'event.dataset:notice | groupby notice.note notice.message'
- name: Connections
description: Connections grouped by IP and Port
query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port'
- name: Connections
description: Connections grouped by Service
query: 'event.dataset:conn | groupby network.protocol destination.port'
- name: Connections
description: Connections grouped by destination country
query: 'event.dataset:conn | groupby destination.geo.country_name'
- name: Connections
description: Connections grouped by source country
query: 'event.dataset:conn | groupby source.geo.country_name'
- name: DCE_RPC
description: DCE_RPC grouped by operation
query: 'event.dataset:dce_rpc | groupby dce_rpc.operation'
- name: DHCP
description: DHCP leases
query: 'event.dataset:dhcp | groupby host.hostname client.address'
- name: DHCP
description: DHCP grouped by message type
query: 'event.dataset:dhcp | groupby dhcp.message_types'
- name: DNP3
description: DNP3 grouped by reply
query: 'event.dataset:dnp3 | groupby dnp3.fc_reply'
- name: DNS
description: DNS queries grouped by port
query: 'event.dataset:dns | groupby dns.query.name destination.port'
- name: DNS
description: DNS queries grouped by type
query: 'event.dataset:dns | groupby dns.query.type_name destination.port'
- name: DNS
description: DNS queries grouped by response code
query: 'event.dataset:dns | groupby dns.response.code_name destination.port'
- name: DNS
description: DNS highest registered domain
query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port'
- name: DNS
description: DNS grouped by parent domain
query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port'
- name: DPD
description: Dynamic Protocol Detection errors
query: 'event.dataset:dpd | groupby error.reason'
- name: Files
description: Files grouped by mimetype
query: 'event.dataset:file | groupby file.mime_type source.ip'
- name: Files
description: Files grouped by source
query: 'event.dataset:file | groupby file.source source.ip'
- name: FTP
description: FTP grouped by command and argument
query: 'event.dataset:ftp | groupby ftp.command ftp.argument'
- name: FTP
description: FTP grouped by username and argument
query: 'event.dataset:ftp | groupby ftp.user ftp.argument'
- name: HTTP
description: HTTP grouped by destination port
query: 'event.dataset:http | groupby destination.port'
- name: HTTP
description: HTTP grouped by status code and message
query: 'event.dataset:http | groupby http.status_code http.status_message'
- name: HTTP
description: HTTP grouped by method and user agent
query: 'event.dataset:http | groupby http.method http.useragent'
- name: HTTP
description: HTTP grouped by virtual host
query: 'event.dataset:http | groupby http.virtual_host'
- name: HTTP
description: HTTP with exe downloads
query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host'
- name: Intel
description: Intel framework hits grouped by indicator
query: 'event.dataset:intel | groupby intel.indicator.keyword'
- name: IRC
description: IRC grouped by command
query: 'event.dataset:irc | groupby irc.command.type'
- name: KERBEROS
description: KERBEROS grouped by service
query: 'event.dataset:kerberos | groupby kerberos.service'
- name: MODBUS
description: MODBUS grouped by function
query: 'event.dataset:modbus | groupby modbus.function'
- name: MYSQL
description: MYSQL grouped by command
query: 'event.dataset:mysql | groupby mysql.command'
- name: NOTICE
description: Zeek notice logs grouped by note and message
query: 'event.dataset:notice | groupby notice.note notice.message'
- name: NTLM
description: NTLM grouped by computer name
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name'
- name: Osquery Live Queries
description: Osquery Live Query results grouped by computer name
query: 'event.dataset:live_query | groupby host.hostname'
- name: PE
description: PE files list
query: 'event.dataset:pe | groupby file.machine file.os file.subsystem'
- name: RADIUS
description: RADIUS grouped by username
query: 'event.dataset:radius | groupby user.name.keyword'
- name: RDP
description: RDP grouped by client name
query: 'event.dataset:rdp | groupby client.name'
- name: RFB
description: RFB grouped by desktop name
query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword'
- name: Signatures
description: Zeek signatures grouped by signature id
query: 'event.dataset:signatures | groupby signature_id'
- name: SIP
description: SIP grouped by user agent
query: 'event.dataset:sip | groupby client.user_agent'
- name: SMB_Files
description: SMB files grouped by action
query: 'event.dataset:smb_files | groupby file.action'
- name: SMB_Mapping
description: SMB mapping grouped by path
query: 'event.dataset:smb_mapping | groupby smb.path'
- name: SMTP
description: SMTP grouped by subject
query: 'event.dataset:smtp | groupby smtp.subject'
- name: SNMP
description: SNMP grouped by version and string
query: 'event.dataset:snmp | groupby snmp.community snmp.version'
- name: Software
description: List of software seen on the network
query: 'event.dataset:software | groupby software.type software.name'
- name: SSH
description: SSH grouped by version and client
query: 'event.dataset:ssh | groupby ssh.version ssh.client'
- name: SSL
description: SSL grouped by version and server name
query: 'event.dataset:ssl | groupby ssl.version ssl.server_name'
- name: SYSLOG
description: 'SYSLOG grouped by severity and facility '
query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label'
- name: Tunnel
description: Tunnels grouped by type and action
query: 'event.dataset:tunnel | groupby tunnel.type event.action'
- name: Weird
description: Zeek weird log grouped by name
query: 'event.dataset:weird | groupby weird.name'
- name: x509
description: x.509 grouped by key length and name
query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns'
- name: x509
description: x.509 grouped by name and issuer
query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer'
- name: x509
description: x.509 grouped by name and subject
query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject'
- name: Firewall
description: Firewall events grouped by action
query: 'event.dataset:firewall | groupby rule.action'
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
target:
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target:
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
job:
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
target:
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target:
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
alerts:
advanced: false
groupItemsPerPage: 50
groupFetchLimit: 500
eventItemsPerPage: 50
eventFetchLimit: 500
relativeTimeValue: 24
relativeTimeUnit: 30
mostRecentlyUsedLimit: 5
ackEnabled: true
escalateEnabled: true
escalateRelatedEventsEnabled: true
eventfields:
default:
- soc_timestamp
- rule.name
- event.severity_label
- source.ip
- source.port
- destination.ip
- destination.port
- rule.gid
- rule.uuid
- rule.category
- rule.rev
':ossec:':
- soc_timestamp
- rule.name
- event.severity_label
- source.ip
- source.port
- destination.ip
- destination.port
- rule.level
- rule.category
- process.name
- user.name
- user.escalated
- location
- process.name
queryBaseFilter: event.dataset:alert
queryToggleFilters:
- name: acknowledged
filter: event.acknowledged:true
enabled: false
exclusive: true
- name: escalated
filter: event.escalated:true
enabled: false
exclusive: true
enablesToggles:
- acknowledged
queries:
- name: 'Group By Name, Module'
query: '* | groupby rule.name event.module event.severity_label'
- name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name'
query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label'
- name: 'Group By Source IP, Name'
query: '* | groupby source.ip rule.name event.severity_label'
- name: 'Group By Source Port, Name'
query: '* | groupby source.port rule.name event.severity_label'
- name: 'Group By Destination IP, Name'
query: '* | groupby destination.ip rule.name event.severity_label'
- name: 'Group By Destination Port, Name'
query: '* | groupby destination.port rule.name event.severity_label'
- name: Ungroup
query: '*'
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
target:
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target:
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
cases:
advanced: false
groupItemsPerPage: 50
groupFetchLimit: 100
eventItemsPerPage: 50
eventFetchLimit: 500
relativeTimeValue: 12
relativeTimeUnit: 60
mostRecentlyUsedLimit: 5
ackEnabled: false
escalateEnabled: false
escalateRelatedEventsEnabled: false
viewEnabled: true
createLink: /case/create
eventFields:
default:
- soc_timestamp
- so_case.title
- so_case.status
- so_case.severity
- so_case.assigneeId
- so_case.createTime
queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case'
queryToggleFilters: []
queries:
- name: Open Cases
query: 'NOT so_case.status:closed AND NOT so_case.category:template'
- name: Closed Cases
query: 'so_case.status:closed AND NOT so_case.category:template'
- name: My Open Cases
query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}'
- name: My Closed Cases
query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}'
- name: Templates
query: 'so_case.category:template'
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
target:
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target:
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
case:
mostRecentlyUsedLimit: 5
renderAbbreviatedCount: 30
presets:
artifactType:
labels:
- autonomous-system
- domain
- file
- filename
- fqdn
- hash
- ip
- mail
- mail_subject
- other
- regexp
- registry
- uri_path
- url
- user-agent
customEnabled: true
category:
labels:
- general
- template
customEnabled: true
pap:
labels:
- white
- green
- amber
- red
customEnabled: false
severity:
labels:
- low
- medium
- high
- critical
customEnabled: false
status:
labels:
- new
- in progress
- closed
customEnabled: false
tags:
labels:
- false-positive
- confirmed
- pending
customEnabled: true
tlp:
labels:
- white
- green
- amber
- red
customEnabled: false
Reference in New Issue View Git Blame Copy Permalink