CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
e747a4e3fed1a42e5ec41be0d3f17cc6aa89d26b
securityonion/salt/soc/defaults.yaml
Corey Ogburn e747a4e3fe New Settings for Manual Sync in Detections
2024-03-29 12:25:03 -06:00

2047 lines
87 KiB
YAML
Raw Blame History

soc:
enabled: False
config:
logFilename: /opt/sensoroni/logs/sensoroni-server.log
logLevel: info
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- name: actionAddToCase
description: actionAddToCaseHelp
icon: fa-briefcase
jsCall: openAddToCaseDialog
categories:
- hunt
- alerts
- dashboards
- name: actionCorrelate
description: actionCorrelateHelp
icon: fa-magnifying-glass-arrow-right
target: ''
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- '/#/hunt?q="{:network.community_id}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target: ''
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- dashboards
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
- name: actionSublime
description: actionSublimeHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://{:sublime.url}/messages/{:sublime.message_group_id}'
- name: actionProcessInfo
description: actionProcessInfoHelp
icon: fa-person-running
target: ''
links:
- '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
- name: actionProcessAncestors
description: actionProcessAncestorsHelp
icon: fa-people-roof
target: ''
links:
- '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
eventFields:
default:
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
- network.community_id
- event.dataset
':kratos:audit':
- soc_timestamp
- http_request.headers.x-real-ip
- identity_id
- http_request.headers.user-agent
- event.dataset
'::conn':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- network.protocol
- log.id.uid
- network.community_id
- event.dataset
'::dce_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dce_rpc.endpoint
- dce_rpc.named_pipe
- dce_rpc.operation
- log.id.uid
- event.dataset
'::dhcp':
- soc_timestamp
- client.address
- server.address
- host.domain
- host.hostname
- dhcp.message_types
- log.id.uid
- event.dataset
'::dnp3':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.fc_reply
- log.id.uid
- event.dataset
'::dnp3_control':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.function_code
- dnp3.block_type
- log.id.uid
- event.dataset
'::dnp3_objects':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.function_code
- dnp3.object_type
- log.id.uid
- event.dataset
'::dns':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- dns.query.name
- dns.query.type_name
- dns.response.code_name
- log.id.uid
- network.community_id
- event.dataset
'::dpd':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.protocol
- observer.analyser
- error.reason
- log.id.uid
- event.dataset
'::file':
- soc_timestamp
- source.ip
- destination.ip
- file.name
- file.mime_type
- file.source
- file.bytes.total
- log.id.fuid
- log.id.uid
- event.dataset
'::ftp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ftp.user
- ftp.command
- ftp.argument
- ftp.reply_code
- file.size
- log.id.uid
- event.dataset
'::http':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- http.method
- http.virtual_host
- http.status_code
- http.status_message
- http.request.body.length
- http.response.body.length
- log.id.uid
- network.community_id
- event.dataset
'::intel':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- intel.indicator
- intel.indicator_type
- intel.seen_where
- log.id.uid
- event.dataset
'::irc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- irc.username
- irc.nickname
- irc.command.type
- irc.command.value
- irc.command.info
- log.id.uid
- event.dataset
'::kerberos':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- kerberos.client
- kerberos.service
- kerberos.request_type
- log.id.uid
- event.dataset
'::modbus':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- modbus.function
- log.id.uid
- event.dataset
'::mysql':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- mysql.command
- mysql.argument
- mysql.success
- mysql.response
- log.id.uid
- event.dataset
'::notice':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- notice.note
- notice.message
- log.id.fuid
- log.id.uid
- network.community_id
- event.dataset
'::ntlm':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ntlm.name
- ntlm.success
- ntlm.server.dns.name
- ntlm.server.nb.name
- ntlm.server.tree.name
- log.id.uid
- event.dataset
'::pe':
- soc_timestamp
- file.is_64bit
- file.is_exe
- file.machine
- file.os
- file.subsystem
- log.id.fuid
- event.dataset
'::radius':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
- username
- radius.framed_address
- radius.reply_message
- radius.result
- event.dataset
'::rdp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rdp.client_build
- client_name
- rdp.cookie
- rdp.encryption_level
- rdp.encryption_method
- rdp.keyboard_layout
- rdp.result
- rdp.security_protocol
- log.id.uid
- event.dataset
'::rfb':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rfb.authentication.method
- rfb.authentication.success
- rfb.share_flag
- rfb.desktop.name
- log.id.uid
- event.dataset
'::signatures':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- note
- signature_id
- event_message
- sub_message
- signature_count
- host.count
- log.id.uid
- event.dataset
'::sip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- sip.method
- sip.uri
- sip.request.from
- sip.request.to
- sip.response.from
- sip.response.to
- sip.call_id
- sip.subject
- sip.user_agent
- sip.status_code
- log.id.uid
- event.dataset
'::smb_files':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.fuid
- file.action
- file.path
- file.name
- file.size
- file.prev_name
- log.id.uid
- event.dataset
'::smb_mapping':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- smb.path
- smb.service
- smb.share_type
- log.id.uid
- event.dataset
'::smtp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- smtp.mail_from
- smtp.recipient_to
- smtp.subject
- smtp.useragent
- log.id.uid
- network.community_id
- event.dataset
'::snmp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- snmp.community
- snmp.version
- log.id.uid
- event.dataset
'::socks':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- socks.name
- socks.request.host
- socks.request.port
- socks.status
- log.id.uid
- event.dataset
'::software':
- soc_timestamp
- source.ip
- software.name
- software.type
- event.dataset
'::ssh':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ssh.version
- ssh.hassh_version
- ssh.direction
- ssh.client
- ssh.server
- log.id.uid
- event.dataset
'::ssl':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ssl.server_name
- ssl.certificate.subject
- ssl.validation_status
- ssl.version
- log.id.uid
- event.dataset
':zeek:syslog':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- syslog.facility
- network.protocol
- syslog.severity
- log.id.uid
- event.dataset
'::tunnels':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tunnel_type
- action
- log.id.uid
- event.dataset
'::weird':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- weird.name
- log.id.uid
- event.dataset
'::x509':
- soc_timestamp
- x509.certificate.subject
- x509.certificate.key.type
- x509.certificate.key.length
- x509.certificate.issuer
- log.id.fuid
- event.dataset
'::firewall':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- network.type
- observer.ingress.interface.name
- event.action
- network.community_id
- event.dataset
':pfsense:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- network.type
- observer.ingress.interface.name
- event.action
- network.community_id
- event.dataset
':osquery:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- process.executable
- user.name
- event.dataset
':strelka:file':
- soc_timestamp
- file.name
- file.size
- hash.md5
- file.source
- file.mime_type
- log.id.fuid
- event.dataset
':suricata:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rule.name
- rule.category
- event.severity_label
- log.id.uid
- network.community_id
- event.dataset
':windows_eventlog:':
- soc_timestamp
- user.name
- event.dataset
':elasticsearch:':
- soc_timestamp
- agent.name
- message
- log.level
- metadata.version
- metadata.pipeline
- event.dataset
':kibana:':
- soc_timestamp
- host.name
- message
- kibana.log.meta.req.headers.x-real-ip
- event.dataset
':syslog:syslog':
- soc_timestamp
- host.name
- metadata.ip_address
- real_message
- syslog.priority
- syslog.application
- event.dataset
':aws:':
- soc_timestamp
- aws.cloudtrail.event_category
- aws.cloudtrail.event_type
- event.provider
- event.action
- event.outcome
- cloud.region
- user.name
- source.ip
- source.geo.region_iso_code
- event.dataset
':squid:':
- soc_timestamp
- url.original
- destination.ip
- destination.geo.country_iso_code
- user.name
- source.ip
- event.dataset
'::sysmon_operational':
- soc_timestamp
- event.action
- winlog.computer_name
- user.name
- process.executable
- process.pid
- event.dataset
'::network_connection':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- process.executable
- user.name
- event.dataset
'::process_terminated':
- soc_timestamp
- process.executable
- process.pid
- winlog.computer_name
- event.dataset
'::file_create':
- soc_timestamp
- file.target
- process.executable
- process.pid
- winlog.computer_name
- event.dataset
'::registry_value_set':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
- event.dataset
'::process_creation':
- soc_timestamp
- process.command_line
- process.pid
- process.parent.executable
- process.working_directory
- event.dataset
'::registry_create_delete':
- soc_timestamp
- winlog.event_data.TargetObject
- process.executable
- process.pid
- winlog.computer_name
- event.dataset
'::dns_query':
- soc_timestamp
- dns.query.name
- dns.answers.name
- process.executable
- winlog.computer_name
- event.dataset
'::file_create_stream_hash':
- soc_timestamp
- file.target
- hash.md5
- hash.sha256
- process.executable
- process.pid
- winlog.computer_name
- event.dataset
'::bacnet':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.bclv.function
- bacnet.result.code
- log.id.uid
- event.dataset
'::bacnet_discovery':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.vendor
- bacnet.pdu.service
- log.id.uid
- event.dataset
'::bacnet_property':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.property
- bacnet.pdu.service
- log.id.uid
- event.dataset
'::bsap_ip_header':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bsap.message.type
- bsap.number.messages
- log.id.uid
- event.dataset
'::bsap_ip_rdb':
- soc_timestamp
- bsap.application.function
- bsap.application.sub.function
- bsap.vector.variables
- log.id.uid
- event.dataset
'::bsap_serial_header':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bsap.source.function
- bsap.destination.function
- bsap.message.type
- log.id.uid
- event.dataset
'::bsap_serial_rdb':
- soc_timestamp
- bsap.rdb.function
- bsap.vector.variables
- log.id.uid
- event.dataset
'::cip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.service
- cip.status_code
- log.id.uid
- event.dataset
'::cip_identity':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.device.type.name
- cip.vendor.name
- log.id.uid
- event.dataset
'::cip_io':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.connection.id
- cip.io.data
- log.id.uid
- event.dataset
'::cotp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cotp.pdu.name
- log.id.uid
- event.dataset
'::ecat_arp_info':
- soc_timestamp
- source.ip
- destination.ip
- source.mac
- destination.mac
- ecat.arp.type
- event.dataset
'::ecat_aoe_info':
- soc_timestamp
- source.mac
- source.port
- destination.mac
- destination.port
- ecat.command
- event.dataset
'::ecat_coe_info':
- soc_timestamp
- ecat.message.number
- ecat.message.type
- ecat.request.response.type
- ecat.index
- ecat.sub.index
- event.dataset
'::ecat_dev_info':
- soc_timestamp
- ecat.device.type
- ecat.features
- ecat.ram.size
- ecat.revision
- ecat.slave.address
- event.dataset
'::ecat_log_address':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
- event.dataset
'::ecat_registers':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
- ecat.register.type
- event.dataset
'::enip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- enip.command
- enip.status_code
- log.id.uid
- event.dataset
'::modbus_detailed':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- modbus.function
- log.id.uid
- event.dataset
'::opcua_binary':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.identifier_string
- opcua.message_type
- log.id.uid
- event.dataset
'::opcua_binary_activate_session':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.identifier_string
- opcua.user_name
- log.id.uid
- event.dataset
'::opcua_binary_activate_session_diagnostic_info':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.activate_session_diag_info_link_id
- opcua.diag_info_link_id
- log.id.uid
- event.dataset
'::opcua_binary_activate_session_locale_id':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.local_id
- opcua.locale_link_id
- log.id.uid
- event.dataset
'::opcua_binary_browse':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.service_type
- log.id.uid
- event.dataset
'::opcua_binary_browse_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
- event.dataset
'::opcua_binary_browse_response_references':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.node_class
- opcua.display_name_text
- log.id.uid
- event.dataset
'::opcua_binary_browse_result':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.response_link_id
- log.id.uid
- event.dataset
'::opcua_binary_create_session':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- log.id.uid
- event.dataset
'::opcua_binary_create_session_endpoints':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_link_id
- opcua.endpoint_url
- log.id.uid
- event.dataset
'::opcua_binary_create_session_user_token':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.user_token_link_id
- log.id.uid
- event.dataset
'::opcua_binary_create_subscription':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- log.id.uid
- event.dataset
'::opcua_binary_get_endpoints':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_url
- opcua.link_id
- log.id.uid
- event.dataset
'::opcua_binary_get_endpoints_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_description_link_id
- opcua.endpoint_uri
- log.id.uid
- event.dataset
'::opcua_binary_get_endpoints_user_token':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.user_token_link_id
- opcua.user_token_type
- log.id.uid
- event.dataset
'::opcua_binary_read':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.read_results_link_id
- log.id.uid
- event.dataset
'::opcua_binary_status_code_detail':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.info_type_string
- opcua.source_string
- log.id.uid
- event.dataset
'::profinet':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- profinet.index
- profinet.operation_type
- log.id.uid
- event.dataset
'::profinet_dce_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- profinet.operation
- log.id.uid
- event.dataset
'::s7comm':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.ros.control.name
- s7.function.name
- log.id.uid
- event.dataset
'::s7comm_plus':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.opcode.name
- s7.version
- log.id.uid
- event.dataset
'::s7comm_read_szl':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.szl_id_name
- s7.return_code_name
- log.id.uid
- event.dataset
'::s7comm_upload_download':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.ros.control.name
- s7.function_code
- log.id.uid
- event.dataset
'::tds':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.command
- log.id.uid
- event.dataset
'::tds_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.procedure_name
- log.id.uid
- event.dataset
'::tds_sql_batch':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.header_type
- log.id.uid
- event.dataset
':endpoint:events_x_api':
- soc_timestamp
- host.name
- user.name
- process.name
- process.Ext.api.name
- process.thread.Ext.call_stack_final_user_module.path
- event.dataset
':endpoint:events_x_file':
- soc_timestamp
- host.name
- user.name
- process.name
- event.action
- file.path
- event.dataset
':endpoint:events_x_library':
- soc_timestamp
- host.name
- user.name
- process.name
- event.action
- dll.path
- dll.code_signature.status
- dll.code_signature.subject_name
- event.dataset
':endpoint:events_x_network':
- soc_timestamp
- host.name
- user.name
- process.name
- event.action
- source.ip
- source.port
- destination.ip
- destination.port
- network.community_id
- event.dataset
':endpoint:events_x_process':
- soc_timestamp
- host.name
- user.name
- process.parent.name
- process.name
- event.action
- process.working_directory
- event.dataset
':endpoint:events_x_registry':
- soc_timestamp
- host.name
- user.name
- process.name
- event.action
- registry.path
- event.dataset
':endpoint:events_x_security':
- soc_timestamp
- host.name
- user.name
- process.executable
- event.action
- event.outcome
- event.dataset
':system:':
- soc_timestamp
- process.name
- process.pid
- user.effective.name
- user.name
- system.auth.sudo.command
- event.dataset
- message
':opencanary:':
- soc_timestamp
- source.ip
- source.port
- logdata.HOSTNAME
- destination.port
- logdata.PATH
- logdata.USERNAME
- logdata.USERAGENT
- event.dataset
':elastic_agent:':
- soc_timestamp
- event.dataset
- message
server:
bindAddress: 0.0.0.0:9822
baseUrl: /
maxPacketCount: 5000
htmlDir: html
importUploadDir: /nsm/soc/uploads
airgapEnabled: false
modules:
cases: soc
filedatastore:
jobDir: jobs
kratos:
hostUrl:
elastalertengine:
allowRegex: ''
autoUpdateEnabled: true
communityRulesImportFrequencySeconds: 86400
denyRegex: ''
elastAlertRulesFolder: /opt/sensoroni/elastalert
reposFolder: /opt/sensoroni/sigma/repos
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
rulesRepos:
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources
license: Elastic-2.0
folder: sigma/stable
sigmaRulePackages:
- core
- emerging_threats_addon
elastic:
hostUrl:
remoteHostUrls: []
username:
password:
index: '*:so-*,*:endgame-*,*:logs-*'
cacheMs: 300000
verifyCert: false
casesEnabled: true
extractCommonObservables:
- source.ip
- destination.ip
timeoutMs: 300000
timeShiftMs: 120000
defaultDurationMs: 1800000
esSearchOffsetMs: 1800000
maxLogLength: 1024
asyncThreshold: 10
lookupTunnelParent: true
influxdb:
hostUrl:
token:
org: Security Onion
bucket: telegraf/so_short_term
verifyCert: false
salt:
queueDir: /opt/sensoroni/queue
timeoutMs: 45000
longRelayTimeoutMs: 120000
sostatus:
refreshIntervalMs: 30000
offlineThresholdMs: 900000
statickeyauth:
anonymousCidr:
apiKey:
staticrbac:
roleFiles:
- rbac/permissions
- rbac/roles
- rbac/custom_roles
userFiles:
- rbac/users_roles
strelkaengine:
allowRegex: ''
autoUpdateEnabled: true
communityRulesImportFrequencySeconds: 86400
compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py
denyRegex: ''
reposFolder: /opt/sensoroni/yara/repos
rulesRepos:
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara
license: DRL
yaraRulesFolder: /opt/sensoroni/yara/rules
suricataengine:
allowRegex: ''
autoUpdateEnabled: true
communityRulesImportFrequencySeconds: 86400
communityRulesFile: /nsm/rules/suricata/emerging-all.rules
denyRegex: ''
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
client:
enableReverseLookup: false
docsUrl: /docs/
cheatsheetUrl: /docs/cheatsheet.pdf
releaseNotesUrl: /docs/release-notes.html
apiTimeoutMs: 300000
webSocketTimeoutMs: 15000
tipTimeoutMs: 6000
cacheExpirationMs: 300000
casesEnabled: true
detectionsEnabled: true
inactiveTools: ['toolUnused']
tools:
- name: toolKibana
description: toolKibanaHelp
icon: fa-external-link-alt
target: so-kibana
link: /kibana/
- name: toolElasticFleet
description: toolElasticFleet
icon: fa-external-link-alt
target: so-elastic-fleet
link: /kibana/app/fleet/agents
- name: toolOsqueryManager
description: toolOsqueryManager
icon: fa-external-link-alt
target: so-osquery-manager
link: /kibana/app/osquery/live_queries
- name: toolInfluxDb
description: toolInfluxDbHelp
icon: fa-external-link-alt
target: so-influxdb
link: /influxdb
- name: toolCyberchef
description: toolCyberchefHelp
icon: fa-external-link-alt
target: so-cyberchef
link: /cyberchef/
- name: toolNavigator
description: toolNavigatorHelp
icon: fa-external-link-alt
target: so-navigator
link: /navigator/
hunt:
advanced: true
aggregationActionsEnabled: true
groupItemsPerPage: 10
groupFetchLimit: 10
eventItemsPerPage: 10
eventFetchLimit: 100
relativeTimeValue: 24
relativeTimeUnit: 30
mostRecentlyUsedLimit: 5
ackEnabled: false
escalateEnabled: true
escalateRelatedEventsEnabled: true
queryBaseFilter: ''
queryToggleFilters:
- name: caseExcludeToggle
filter: 'NOT _index:"*:so-case*"'
enabled: true
- name: detectionsExcludeToggle
filter: 'NOT _index:"*:so-detection*"'
enabled: true
- name: socExcludeToggle
filter: 'NOT event.module:"soc"'
enabled: true
queries:
- name: Default Query
description: Show all events grouped by the observer host
query: '* | groupby observer.name'
showSubtitle: true
- name: Log Type
description: Show all events grouped by module and dataset
query: '* | groupby event.module* event.dataset'
showSubtitle: true
- name: SOC - Auth
description: Users authenticated to SOC grouped by IP address and identity
query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id'
showSubtitle: true
- name: SOC - App
description: Logs generated by the Security Onion Console (SOC) server and modules
query: 'event.module: "soc" | groupby event.module* event.dataset* log.level* | groupby agent.name | groupby event.action* | groupby "http.request.method" | groupby "url.path"'
showSubtitle: true
- name: Elastalerts
description: ''
query: '_type:elastalert | groupby rule.name'
showSubtitle: true
- name: Alerts
description: Show all alerts grouped by alert source
query: 'tags:alert | groupby event.module'
showSubtitle: true
- name: NIDS Alerts
description: Show all NIDS alerts grouped by alert
query: 'event.category: network AND tags: alert | groupby rule.category rule.gid rule.uuid rule.name'
showSubtitle: true
- name: Osquery - Live Query
description: Show all Osquery Live Query results
query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname'
showSubtitle: true
- name: Sysmon Events
description: Show all Sysmon logs grouped by event type
query: 'event.dataset: windows.sysmon_operational | groupby event.action'
showSubtitle: true
- name: Sysmon Usernames
description: Show all Sysmon logs grouped by username
query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name'
showSubtitle: true
- name: Strelka
description: Show all Strelka logs grouped by file type
query: 'event.module:strelka | groupby file.mime_type'
showSubtitle: true
- name: Zeek Notice
description: Show notices from Zeek
query: 'event.dataset:zeek.notice | groupby notice.note notice.message'
showSubtitle: true
- name: Connections
description: Connections grouped by IP and Port
query: 'tags:conn | groupby source.ip destination.ip network.protocol destination.port'
showSubtitle: true
- name: Connections
description: Connections grouped by Service
query: 'tags:conn | groupby network.protocol destination.port'
showSubtitle: true
- name: Connections
description: Connections grouped by destination country
query: 'tags:conn | groupby destination.geo.country_name'
showSubtitle: true
- name: Connections
description: Connections grouped by source country
query: 'tags:conn | groupby source.geo.country_name'
showSubtitle: true
- name: DCE_RPC
description: DCE_RPC grouped by operation
query: 'tags:dce_rpc | groupby dce_rpc.operation'
showSubtitle: true
- name: DHCP
description: DHCP leases
query: 'tags:dhcp | groupby host.hostname client.address'
showSubtitle: true
- name: DHCP
description: DHCP grouped by message type
query: 'tags:dhcp | groupby dhcp.message_types'
showSubtitle: true
- name: DNP3
description: DNP3 grouped by reply
query: 'tags:dnp3 | groupby dnp3.fc_reply'
showSubtitle: true
- name: DNS
description: DNS queries grouped by port
query: 'tags:dns | groupby dns.query.name destination.port'
showSubtitle: true
- name: DNS
description: DNS queries grouped by type
query: 'tags:dns | groupby dns.query.type_name destination.port'
showSubtitle: true
- name: DNS
description: DNS queries grouped by response code
query: 'tags:dns | groupby dns.response.code_name destination.port'
showSubtitle: true
- name: DNS
description: DNS highest registered domain
query: 'tags:dns | groupby dns.highest_registered_domain destination.port'
showSubtitle: true
- name: DNS
description: DNS grouped by parent domain
query: 'tags:dns | groupby dns.parent_domain destination.port'
showSubtitle: true
- name: DPD
description: Dynamic Protocol Detection errors
query: 'tags:dpd | groupby error.reason'
showSubtitle: true
- name: Files
description: Files grouped by mimetype
query: 'tags:file | groupby file.mime_type source.ip'
showSubtitle: true
- name: Files
description: Files grouped by source
query: 'tags:file | groupby file.source source.ip'
showSubtitle: true
- name: FTP
description: FTP grouped by command and argument
query: 'tags:ftp | groupby ftp.command ftp.argument'
showSubtitle: true
- name: FTP
description: FTP grouped by username and argument
query: 'tags:ftp | groupby ftp.user ftp.argument'
showSubtitle: true
- name: HTTP
description: HTTP grouped by destination port
query: 'tags:http | groupby destination.port'
showSubtitle: true
- name: HTTP
description: HTTP grouped by status code and message
query: 'tags:http | groupby http.status_code http.status_message'
showSubtitle: true
- name: HTTP
description: HTTP grouped by method and user agent
query: 'tags:http | groupby http.method http.useragent'
showSubtitle: true
- name: HTTP
description: HTTP grouped by virtual host
query: 'tags:http | groupby http.virtual_host'
showSubtitle: true
- name: HTTP
description: HTTP with exe downloads
query: 'tags:http AND file.resp_mime_types:*exec* | groupby http.virtual_host'
showSubtitle: true
- name: Intel
description: Intel framework hits grouped by indicator
query: 'tags:intel | groupby intel.indicator'
showSubtitle: true
- name: IRC
description: IRC grouped by command
query: 'tags:irc | groupby irc.command.type'
showSubtitle: true
- name: KERBEROS
description: KERBEROS grouped by service
query: 'tags:kerberos | groupby kerberos.service'
showSubtitle: true
- name: MODBUS
description: MODBUS grouped by function
query: 'tags:modbus | groupby modbus.function'
showSubtitle: true
- name: MYSQL
description: MYSQL grouped by command
query: 'tags:mysql | groupby mysql.command'
showSubtitle: true
- name: NOTICE
description: Zeek notice logs grouped by note and message
query: 'event.dataset:zeek.notice | groupby notice.note notice.message'
showSubtitle: true
- name: NTLM
description: NTLM grouped by computer name
query: 'tags:ntlm | groupby ntlm.server.dns.name'
showSubtitle: true
- name: PE
description: PE files list
query: 'tags:pe | groupby file.machine file.os file.subsystem'
showSubtitle: true
- name: RADIUS
description: RADIUS grouped by username
query: 'tags:radius | groupby user.name'
showSubtitle: true
- name: RDP
description: RDP grouped by client name
query: 'tags:rdp | groupby client.name'
showSubtitle: true
- name: RFB
description: RFB grouped by desktop name
query: 'tags:rfb | groupby rfb.desktop.name'
showSubtitle: true
- name: Signatures
description: Zeek signatures grouped by signature id
query: 'event.dataset:zeek.signatures | groupby signature_id'
showSubtitle: true
- name: SIP
description: SIP grouped by user agent
query: 'tags:sip | groupby client.user_agent'
showSubtitle: true
- name: SMB_Files
description: SMB files grouped by action
query: 'tags:smb_files | groupby file.action'
showSubtitle: true
- name: SMB_Mapping
description: SMB mapping grouped by path
query: 'tags:smb_mapping | groupby smb.path'
showSubtitle: true
- name: SMTP
description: SMTP grouped by subject
query: 'tags:smtp | groupby smtp.subject'
showSubtitle: true
- name: SNMP
description: SNMP grouped by version and string
query: 'tags:snmp | groupby snmp.community snmp.version'
showSubtitle: true
- name: Software
description: List of software seen on the network
query: 'tags:software | groupby software.type software.name'
showSubtitle: true
- name: SSH
description: SSH grouped by version and client
query: 'tags:ssh | groupby ssh.version ssh.client'
showSubtitle: true
- name: SSL
description: SSL grouped by version and server name
query: 'tags:ssl | groupby ssl.version ssl.server_name'
showSubtitle: true
- name: SYSLOG
description: 'SYSLOG grouped by severity and facility '
query: 'tags:syslog | groupby syslog.severity_label syslog.facility_label'
showSubtitle: true
- name: Tunnel
description: Tunnels grouped by type and action
query: 'tags:tunnel | groupby tunnel.type event.action'
showSubtitle: true
- name: Weird
description: Zeek weird log grouped by name
query: 'event.dataset:zeek.weird | groupby weird.name'
showSubtitle: true
- name: x509
description: x.509 grouped by key length and name
query: 'tags:x509 | groupby x509.certificate.key.length x509.san_dns'
showSubtitle: true
- name: x509
description: x.509 grouped by name and issuer
query: 'tags:x509 | groupby x509.san_dns x509.certificate.issuer'
showSubtitle: true
- name: x509
description: x.509 grouped by name and subject
query: 'tags:x509 | groupby x509.san_dns x509.certificate.subject'
showSubtitle: true
- name: Firewall
description: Firewall events grouped by action
query: 'observer.type:firewall | groupby event.action'
showSubtitle: true
dashboards:
advanced: true
groupItemsPerPage: 10
groupFetchLimit: 10
eventItemsPerPage: 10
eventFetchLimit: 100
relativeTimeValue: 24
relativeTimeUnit: 30
mostRecentlyUsedLimit: 0
ackEnabled: false
escalateEnabled: true
escalateRelatedEventsEnabled: true
aggregationActionsEnabled: false
queryBaseFilter: ''
queryToggleFilters:
- name: caseExcludeToggle
filter: 'NOT _index:"*:so-case*"'
enabled: true
- name: detectionsExcludeToggle
filter: 'NOT _index:"*:so-detection*"'
enabled: true
- name: socExcludeToggle
filter: 'NOT event.module:"soc"'
enabled: true
queries:
- name: Overview
description: Overview of all events
query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SOC Auth
description: SOC (Security Onion Console) authentication logs
query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip identity_id | groupby identity_id | groupby http_request.headers.user-agent'
- name: Elastalerts
description: Elastalert logs
query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
- name: Alerts
description: Overview of all alerts
query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination_geo.organization_name'
- name: NIDS Alerts
description: NIDS (Network Intrusion Detection System) alerts
query: 'event.category:network AND tags:alert | groupby rule.category | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby destination_geo.organization_name'
- name: Sysmon Overview
description: Overview of all Sysmon data types
query: 'event.dataset:windows.sysmon_operational | groupby event.action | groupby -sankey event.action host.name | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby event.category event.action | groupby dns.question.name | groupby process.executable | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Host Overview
description: Overview of all host data types
query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby -sankey event.type host.name | groupby host.name | groupby user.name | groupby file.name | groupby process.executable'
- name: Host Registry Changes
description: Windows Registry changes
query: 'event.category: registry | groupby event.action | groupby -sankey event.action host.name | groupby host.name | groupby event.dataset event.action | groupby process.executable | groupby registry.path | groupby process.executable registry.path'
- name: Host DNS & Process Mappings
description: DNS queries mapped to originating processes
query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby host.name | groupby -sankey host.name dns.question.name | groupby dns.question.name | groupby event.dataset event.type | groupby process.executable | groupby dns.answers.data'
- name: Host Process Activity
description: Process activity captured on an endpoint
query: 'event.category:process | groupby host.name | groupby -sankey host.name user.name* | groupby user.name | groupby event.dataset event.action | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable | table soc_timestamp host.name user.name process.parent.name process.name event.action process.working_directory event.dataset'
- name: Host File Activity
description: File activity captured on an endpoint
query: 'event.category: file AND _exists_:process.executable | groupby host.name | groupby -sankey host.name process.executable | groupby process.executable | groupby event.dataset event.action event.type | groupby file.name'
- name: Host Network & Process Mappings
description: Network activity mapped to originating processes
query: 'event.category: network AND _exists_:process.executable | groupby event.action | groupby -sankey event.action host.name | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby event.dataset* event.type* event.action* | groupby dns.question.name | groupby process.executable | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Host API Events
description: API (Application Programming Interface) events from endpoints
query: 'event.dataset:endpoint.events.api | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby process.Ext.api.name'
- name: Host Library Events
description: Library events from endpoints
query: 'event.dataset:endpoint.events.library | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby event.action | groupby dll.path | groupby dll.code_signature.status | groupby dll.code_signature.subject_name'
- name: Host Security Events
description: Security events from endpoints
query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome'
- name: Strelka
description: Strelka file analysis
query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby -sankey file.source file.name | groupby file.name'
- name: Zeek Notice
description: Zeek notice logs
query: 'event.dataset:zeek.notice | groupby notice.note | groupby -sankey notice.note source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby notice.message | groupby notice.sub_message | groupby source_geo.organization_name | groupby destination_geo.organization_name'
- name: Connections and Metadata with community_id
description: Network connections that include community_id
query: '_exists_:network.community_id | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
- name: Connections seen by Zeek or Suricata
description: Network connections logged by Zeek or Suricata
query: 'tags:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui'
- name: DCE_RPC
description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata
query: 'tags:dce_rpc | groupby dce_rpc.endpoint | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.operation | groupby -sankey dce_rpc.operation dce_rpc.named_pipe | groupby dce_rpc.named_pipe | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: DHCP
description: DHCP (Dynamic Host Configuration Protocol) leases
query: 'tags:dhcp | groupby host.hostname | groupby -sankey host.hostname client.address | groupby client.address | groupby -sankey client.address server.address | groupby server.address | groupby dhcp.message_types | groupby host.domain'
- name: DNS
description: DNS (Domain Name System) queries
query: 'tags:dns | groupby dns.query.name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.response.code_name | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby destination_geo.organization_name'
- name: DPD
description: DPD (Dynamic Protocol Detection) errors
query: 'tags:dpd | groupby error.reason | groupby -sankey error.reason source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby destination_geo.organization_name'
- name: Files
description: Files seen in network traffic
query: 'tags:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name'
- name: FTP
description: FTP (File Transfer Protocol) network metadata
query: 'tags:ftp | groupby ftp.command | groupby -sankey ftp.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ftp.argument | groupby ftp.user'
- name: HTTP
description: HTTP (Hyper Text Transport Protocol) network metadata
query: 'tags:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Intel
description: Zeek Intel framework hits
query: 'tags:intel | groupby intel.indicator | groupby -sankey intel.indicator source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby intel.indicator_type | groupby intel.seen_where'
- name: IRC
description: IRC (Internet Relay Chat) network metadata
query: 'tags:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Kerberos
description: Kerberos network metadata
query: 'tags:kerberos | groupby kerberos.service | groupby -sankey kerberos.service source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby kerberos.client | groupby kerberos.request_type'
- name: MySQL
description: MySQL network metadata
query: 'tags:mysql | groupby mysql.command | groupby -sankey mysql.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows'
- name: NTLM
description: NTLM (New Technology LAN Manager) network metadata
query: 'tags:ntlm | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip'
- name: PE
description: PE (Portable Executable) files transferred via network traffic
query: 'tags:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby -sankey file.os file.subsystem | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
- name: RADIUS
description: RADIUS (Remote Authentication Dial-In User Service) network metadata
query: 'tags:radius | groupby user.name | groupby -sankey user.name source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: RDP
description: RDP (Remote Desktop Protocol) network metadata
query: 'tags:rdp | groupby client.name | groupby -sankey client.name source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: RFB
description: RFB (Remote Frame Buffer) network metadata
query: 'tags:rfb | groupby rfb.desktop.name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Signatures
description: Zeek signatures
query: 'event.dataset:zeek.signatures | groupby signature_id'
- name: SIP
description: SIP (Session Initiation Protocol) network metadata
query: 'tags:sip | groupby sip.method | groupby -sankey sip.method source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby client.user_agent | groupby sip.method | groupby sip.uri'
- name: SMB_Files
description: Files transferred via SMB (Server Message Block)
query: 'tags:smb_files | groupby file.action | groupby -sankey file.action source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby file.path | groupby file.name'
- name: SMB_Mapping
description: SMB (Server Message Block) mapping network metadata
query: 'tags:smb_mapping | groupby smb.share_type | groupby -sankey smb.share_type smb.path | groupby smb.path | groupby -sankey smb.path smb.service | groupby smb.service | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port'
- name: SMTP
description: SMTP (Simple Mail Transfer Protocol) network metadata
query: 'tags:smtp | groupby smtp.mail_from | groupby -sankey smtp.mail_from smtp.recipient_to | groupby smtp.recipient_to | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby smtp.subject | groupby destination_geo.organization_name'
- name: SNMP
description: SNMP (Simple Network Management Protocol) network metadat
query: 'tags:snmp | groupby snmp.community | groupby -sankey snmp.community source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby snmp.version'
- name: Software
description: Software seen by Zeek via network traffic
query: 'tags:software | groupby software.type | groupby -sankey software.type source.ip | groupby source.ip | groupby software.name'
- name: SSH
description: SSH (Secure Shell) connections seen by Zeek
query: 'tags:ssh | groupby ssh.client | groupby -sankey ssh.client source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby ssh.server | groupby ssh.version | groupby ssh.hassh_version | groupby ssh.direction | groupby source_geo.organization_name | groupby destination_geo.organization_name'
- name: SSL
description: SSL/TLS network metadata
query: 'tags:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey ssl.validation_status ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject'
- name: STUN
description: STUN (Session Traversal Utilities for NAT) network metadata
query: 'tags:stun* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset'
- name: Syslog
description: Syslog logs
query: 'tags:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby event.dataset'
- name: TDS
description: TDS (Tabular Data Stream) network metadata
query: 'tags:tds* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby tds.query'
- name: Tunnel
description: Tunnels seen by Zeek
query: 'tags:tunnel | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby tunnel.type | groupby event.action | groupby destination.geo.country_name'
- name: Weird
description: Weird network traffic seen by Zeek
query: 'event.dataset:zeek.weird | groupby weird.name | groupby -sankey weird.name source.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: WireGuard
description: WireGuard VPN network metadata
query: 'tags:wireguard | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name'
- name: x509
description: x.509 certificates seen by Zeek
query: 'tags:x509 | groupby x509.certificate.key.length | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
- name: ICS Overview
description: Overview of ICS (Industrial Control Systems) network metadata
query: 'tags:ics | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac'
- name: ICS BACnet
description: BACnet (Building Automation and Control Networks) network metadata
query: 'tags:bacnet* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port'
- name: ICS BSAP
description: BSAP (Bristol Standard Asynchronous Protocol) network metadata
query: 'tags:bsap* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port'
- name: ICS CIP
description: CIP (Common Industrial Protocol) network metadata
query: 'tags:cip* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port'
- name: ICS COTP
description: COTP (Connection Oriented Transport Protocol) network metadata
query: 'tags:cotp* | groupby cotp.pdu.name | groupby -sankey cotp.pdu.name source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby cotp.pdu.code'
- name: ICS DNP3
description: DNP3 (Distributed Network Protocol) network metadata
query: 'tags:dnp3* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply'
- name: ICS ECAT
description: ECAT (Ethernet for Control Automation Technology) network metadata
query: 'tags:ecat* | groupby event.dataset | groupby -sankey event.dataset ecat.command | groupby ecat.command | groupby -sankey ecat.command source.mac | groupby source.mac | groupby -sankey source.mac destination.mac | groupby destination.mac | groupby ecat.register.type'
- name: ICS ENIP
description: ENIP (Ethernet Industrial Protocol) network metadata
query: 'tags:enip* | groupby enip.command | groupby -sankey enip.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby enip.status_code'
- name: ICS Modbus
description: Modbus network metadata
query: 'tags:modbus* | groupby event.dataset | groupby -sankey event.dataset modbus.function | groupby modbus.function | groupby -sankey modbus.function source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port'
- name: ICS OPC UA
description: OPC UA (Unified Architecture) network metadata
query: 'tags:opcua* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port'
- name: ICS Profinet
description: Profinet (Process Field Network) network metadata
query: 'tags:profinet* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port'
- name: ICS S7
description: S7 (Siemens) network metadata
query: 'tags:s7* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port'
- name: Firewall
description: Firewall logs
query: 'observer.type:firewall | groupby event.action | groupby -sankey event.action observer.ingress.interface.name | groupby observer.ingress.interface.name | groupby network.type | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Firewall Auth
description: Firewall authentication logs
query: 'observer.type:firewall AND event.category:authentication | groupby user.name | groupby -sankey user.name source.ip | groupby source.ip | table soc_timestamp user.name source.ip message'
- name: VLAN
description: VLAN (Virtual Local Area Network) tagged logs
query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby -sankey network.vlan.id source.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name'
- name: GeoIP - Destination Countries
description: GeoIP tagged logs visualized by destination countries
query: '* AND _exists_:destination.geo.country_name | groupby destination.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby event.dataset | groupby event.module'
- name: GeoIP - Destination Organizations
description: GeoIP tagged logs visualized by destination organizations
query: '* AND _exists_:destination_geo.organization_name | groupby destination_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset | groupby event.module'
- name: GeoIP - Source Countries
description: GeoIP tagged logs visualized by source countries
query: '* AND _exists_:source.geo.country_name | groupby source.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source_geo.organization_name | groupby event.dataset | groupby event.module'
- name: GeoIP - Source Organizations
description: GeoIP tagged logs visualized by source organizations
query: '* AND _exists_:source_geo.organization_name | groupby source_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module'
job:
alerts:
advanced: false
groupItemsPerPage: 50
groupFetchLimit: 500
eventItemsPerPage: 50
eventFetchLimit: 500
relativeTimeValue: 24
relativeTimeUnit: 30
mostRecentlyUsedLimit: 5
ackEnabled: true
escalateEnabled: true
escalateRelatedEventsEnabled: true
aggregationActionsEnabled: true
eventFields:
default:
- soc_timestamp
- rule.name
- event.severity_label
- source.ip
- source.port
- destination.ip
- destination.port
- rule.gid
- rule.uuid
- rule.category
- rule.rev
':playbook:':
- soc_timestamp
- rule.name
- event.severity_label
- event_data.event.module
- event_data.event.category
- event_data.process.executable
- event_data.process.pid
- event_data.winlog.computer_name
queryBaseFilter: tags:alert
queryToggleFilters:
- name: acknowledged
filter: event.acknowledged:true
enabled: false
exclusive: true
- name: escalated
filter: event.escalated:true
enabled: false
exclusive: true
enablesToggles:
- acknowledged
queries:
- name: 'Group By Name, Module'
query: '* | groupby rule.name event.module* event.severity_label'
- name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name'
query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label'
- name: 'Group By Source IP, Name'
query: '* | groupby source.ip rule.name event.severity_label'
- name: 'Group By Source Port, Name'
query: '* | groupby source.port rule.name event.severity_label'
- name: 'Group By Destination IP, Name'
query: '* | groupby destination.ip rule.name event.severity_label'
- name: 'Group By Destination Port, Name'
query: '* | groupby destination.port rule.name event.severity_label'
- name: Ungroup
query: '*'
grid:
maxUploadSize: 26214400
staleMetricsMs: 120000
cases:
advanced: false
aggregationActionsEnabled: false
groupItemsPerPage: 50
groupFetchLimit: 100
eventItemsPerPage: 50
eventFetchLimit: 500
relativeTimeValue: 12
relativeTimeUnit: 60
mostRecentlyUsedLimit: 5
ackEnabled: false
escalateEnabled: false
escalateRelatedEventsEnabled: false
viewEnabled: true
createLink: /case/create
eventFields:
default:
- soc_timestamp
- so_case.title
- so_case.status
- so_case.severity
- so_case.assigneeId
- so_case.createTime
queryBaseFilter: '_index:"*:so-case" AND so_kind:case'
queryToggleFilters: []
queries:
- name: Open Cases
query: 'NOT so_case.status:closed AND NOT so_case.category:template'
- name: Closed Cases
query: 'so_case.status:closed AND NOT so_case.category:template'
- name: My Open Cases
query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}'
- name: My Closed Cases
query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}'
- name: Templates
query: 'so_case.category:template'
case:
analyzerNodeId:
mostRecentlyUsedLimit: 5
renderAbbreviatedCount: 30
presets:
artifactType:
labels:
- autonomous-system
- domain
- eml
- file
- filename
- fqdn
- hash
- ip
- mail
- mail_subject
- other
- regexp
- registry
- uri_path
- url
- user-agent
customEnabled: true
category:
labels:
- general
- template
customEnabled: true
pap:
labels:
- white
- green
- amber
- red
customEnabled: false
severity:
labels:
- low
- medium
- high
- critical
customEnabled: false
status:
labels:
- new
- in progress
- closed
customEnabled: false
tags:
labels:
- false-positive
- confirmed
- pending
customEnabled: true
tlp:
labels:
- clear
- green
- amber
- amber+strict
- red
customEnabled: false
detections:
viewEnabled: true
createLink: /detection/create
eventFetchLimit: 500
eventItemsPerPage: 50
groupFetchLimit: 50
mostRecentlyUsedLimit: 5
safeStringMaxLength: 100
queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection'
presets:
manualSync:
customEnabled:false
labels:
- Suricata
- Strelka
- ElastAlert
eventFields:
default:
- so_detection.title
- so_detection.isEnabled
- so_detection.severity
- so_detection.language
- so_detection.ruleset
queries:
- name: "All Detections"
query: "_id:*"
- name: "Custom Detections"
query: "so_detection.isCommunity:false"
- name: "All Detections - Enabled"
query: "so_detection.isEnabled:true"
- name: "All Detections - Disabled"
query: "so_detection.isEnabled:false"
- name: "Detection Type - Suricata (NIDS)"
query: "so_detection.language:suricata"
- name: "Detection Type - Sigma - All"
query: "so_detection.language:sigma"
- name: "Detection Type - Sigma - Windows"
query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
- name: "Detection Type - Yara (Strelka)"
query: "so_detection.language:yara"
detection:
presets:
severity:
customEnabled: false
labels:
- unknown
- informational
- low
- medium
- high
- critical
language:
customEnabled: false
labels:
- suricata
- sigma
- yara
severityTranslations:
minor: low
major: high
Reference in New Issue View Git Blame Copy Permalink