diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 5905434ed8..bab229aebb 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -92,6 +92,7 @@ soc: - http_request.headers.x-real-ip - identity_id - http_request.headers.user-agent + - event.dataset '::conn': - soc_timestamp - source.ip @@ -102,6 +103,7 @@ soc: - network.protocol - log.id.uid - network.community_id + - event.dataset '::dce_rpc': - soc_timestamp - source.ip @@ -112,6 +114,7 @@ soc: - dce_rpc.named_pipe - dce_rpc.operation - log.id.uid + - event.dataset '::dhcp': - soc_timestamp - client.address @@ -120,6 +123,7 @@ soc: - host.hostname - dhcp.message_types - log.id.uid + - event.dataset '::dnp3': - soc_timestamp - source.ip @@ -128,6 +132,7 @@ soc: - destination.port - dnp3.fc_reply - log.id.uid + - event.dataset '::dnp3_control': - soc_timestamp - source.ip @@ -137,6 +142,7 @@ soc: - dnp3.function_code - dnp3.block_type - log.id.uid + - event.dataset '::dnp3_objects': - soc_timestamp - source.ip @@ -146,6 +152,7 @@ soc: - dnp3.function_code - dnp3.object_type - log.id.uid + - event.dataset '::dns': - soc_timestamp - source.ip @@ -158,6 +165,7 @@ soc: - dns.response.code_name - log.id.uid - network.community_id + - event.dataset '::dpd': - soc_timestamp - source.ip @@ -168,6 +176,7 @@ soc: - observer.analyser - error.reason - log.id.uid + - event.dataset '::file': - soc_timestamp - source.ip @@ -178,6 +187,7 @@ soc: - file.bytes.total - log.id.fuid - log.id.uid + - event.dataset '::ftp': - soc_timestamp - source.ip @@ -190,6 +200,7 @@ soc: - ftp.reply_code - file.size - log.id.uid + - event.dataset '::http': - soc_timestamp - source.ip @@ -204,6 +215,7 @@ soc: - http.response.body.length - log.id.uid - network.community_id + - event.dataset '::intel': - soc_timestamp - source.ip @@ -214,6 +226,7 @@ soc: - intel.indicator_type - intel.seen_where - log.id.uid + - event.dataset '::irc': - soc_timestamp - source.ip @@ -226,6 +239,7 @@ soc: - irc.command.value - irc.command.info - log.id.uid + - event.dataset '::kerberos': - soc_timestamp - source.ip @@ -236,6 +250,7 @@ soc: - kerberos.service - kerberos.request_type - log.id.uid + - event.dataset '::modbus': - soc_timestamp - source.ip @@ -244,6 +259,7 @@ soc: - destination.port - modbus.function - log.id.uid + - event.dataset '::mysql': - soc_timestamp - source.ip @@ -255,6 +271,7 @@ soc: - mysql.success - mysql.response - log.id.uid + - event.dataset '::notice': - soc_timestamp - source.ip @@ -266,6 +283,7 @@ soc: - log.id.fuid - log.id.uid - network.community_id + - event.dataset '::ntlm': - soc_timestamp - source.ip @@ -278,6 +296,7 @@ soc: - ntlm.server.nb.name - ntlm.server.tree.name - log.id.uid + - event.dataset '::pe': - soc_timestamp - file.is_64bit @@ -286,6 +305,7 @@ soc: - file.os - file.subsystem - log.id.fuid + - event.dataset '::radius': - soc_timestamp - source.ip @@ -297,6 +317,7 @@ soc: - radius.framed_address - radius.reply_message - radius.result + - event.dataset '::rdp': - soc_timestamp - source.ip @@ -312,6 +333,7 @@ soc: - rdp.result - rdp.security_protocol - log.id.uid + - event.dataset '::rfb': - soc_timestamp - source.ip @@ -323,6 +345,7 @@ soc: - rfb.share_flag - rfb.desktop.name - log.id.uid + - event.dataset '::signatures': - soc_timestamp - source.ip @@ -336,6 +359,7 @@ soc: - signature_count - host.count - log.id.uid + - event.dataset '::sip': - soc_timestamp - source.ip @@ -353,6 +377,7 @@ soc: - sip.user_agent - sip.status_code - log.id.uid + - event.dataset '::smb_files': - soc_timestamp - source.ip @@ -366,6 +391,7 @@ soc: - file.size - file.prev_name - log.id.uid + - event.dataset '::smb_mapping': - soc_timestamp - source.ip @@ -376,6 +402,7 @@ soc: - smb.service - smb.share_type - log.id.uid + - event.dataset '::smtp': - soc_timestamp - source.ip @@ -388,6 +415,7 @@ soc: - smtp.useragent - log.id.uid - network.community_id + - event.dataset '::snmp': - soc_timestamp - source.ip @@ -397,6 +425,7 @@ soc: - snmp.community - snmp.version - log.id.uid + - event.dataset '::socks': - soc_timestamp - source.ip @@ -408,11 +437,13 @@ soc: - socks.request.port - socks.status - log.id.uid + - event.dataset '::software': - soc_timestamp - source.ip - software.name - software.type + - event.dataset '::ssh': - soc_timestamp - source.ip @@ -425,6 +456,7 @@ soc: - ssh.client - ssh.server - log.id.uid + - event.dataset '::ssl': - soc_timestamp - source.ip @@ -436,6 +468,7 @@ soc: - ssl.validation_status - ssl.version - log.id.uid + - event.dataset ':zeek:syslog': - soc_timestamp - source.ip @@ -446,6 +479,7 @@ soc: - network.protocol - syslog.severity - log.id.uid + - event.dataset '::tunnels': - soc_timestamp - source.ip @@ -455,6 +489,7 @@ soc: - tunnel_type - action - log.id.uid + - event.dataset '::weird': - soc_timestamp - source.ip @@ -463,6 +498,7 @@ soc: - destination.port - weird.name - log.id.uid + - event.dataset '::x509': - soc_timestamp - x509.certificate.subject @@ -470,6 +506,7 @@ soc: - x509.certificate.key.length - x509.certificate.issuer - log.id.fuid + - event.dataset '::firewall': - soc_timestamp - source.ip @@ -481,6 +518,7 @@ soc: - observer.ingress.interface.name - event.action - network.community_id + - event.dataset ':pfsense:': - soc_timestamp - source.ip @@ -492,6 +530,7 @@ soc: - observer.ingress.interface.name - event.action - network.community_id + - event.dataset ':osquery:': - soc_timestamp - source.ip @@ -499,9 +538,9 @@ soc: - destination.ip - destination.port - source.hostname - - event.dataset - process.executable - user.name + - event.dataset ':strelka:file': - soc_timestamp - file.name @@ -510,6 +549,7 @@ soc: - file.source - file.mime_type - log.id.fuid + - event.dataset ':suricata:': - soc_timestamp - source.ip @@ -521,9 +561,11 @@ soc: - event.severity_label - log.id.uid - network.community_id + - event.dataset ':windows_eventlog:': - soc_timestamp - user.name + - event.dataset ':elasticsearch:': - soc_timestamp - agent.name @@ -545,6 +587,7 @@ soc: - real_message - syslog.priority - syslog.application + - event.dataset ':aws:': - soc_timestamp - aws.cloudtrail.event_category @@ -556,6 +599,7 @@ soc: - user.name - source.ip - source.geo.region_iso_code + - event.dataset ':squid:': - soc_timestamp - url.original @@ -563,6 +607,7 @@ soc: - destination.geo.country_iso_code - user.name - source.ip + - event.dataset '::sysmon_operational': - soc_timestamp - event.action @@ -570,6 +615,7 @@ soc: - user.name - process.executable - process.pid + - event.dataset '::network_connection': - soc_timestamp - source.ip @@ -577,44 +623,50 @@ soc: - destination.ip - destination.port - source.hostname - - event.dataset - process.executable - user.name + - event.dataset '::process_terminated': - soc_timestamp - process.executable - process.pid - winlog.computer_name + - event.dataset '::file_create': - soc_timestamp - file.target - process.executable - process.pid - winlog.computer_name + - event.dataset '::registry_value_set': - soc_timestamp - winlog.event_data.TargetObject - process.executable - process.pid - winlog.computer_name + - event.dataset '::process_creation': - soc_timestamp - process.command_line - process.pid - process.parent.executable - process.working_directory + - event.dataset '::registry_create_delete': - soc_timestamp - winlog.event_data.TargetObject - process.executable - process.pid - winlog.computer_name + - event.dataset '::dns_query': - soc_timestamp - dns.query.name - dns.answers.name - process.executable - winlog.computer_name + - event.dataset '::file_create_stream_hash': - soc_timestamp - file.target @@ -623,6 +675,7 @@ soc: - process.executable - process.pid - winlog.computer_name + - event.dataset '::bacnet': - soc_timestamp - source.ip @@ -632,6 +685,7 @@ soc: - bacnet.bclv.function - bacnet.result.code - log.id.uid + - event.dataset '::bacnet_discovery': - soc_timestamp - source.ip @@ -641,6 +695,7 @@ soc: - bacnet.vendor - bacnet.pdu.service - log.id.uid + - event.dataset '::bacnet_property': - soc_timestamp - source.ip @@ -650,6 +705,7 @@ soc: - bacnet.property - bacnet.pdu.service - log.id.uid + - event.dataset '::bsap_ip_header': - soc_timestamp - source.ip @@ -659,12 +715,14 @@ soc: - bsap.message.type - bsap.number.messages - log.id.uid + - event.dataset '::bsap_ip_rdb': - soc_timestamp - bsap.application.function - bsap.application.sub.function - bsap.vector.variables - log.id.uid + - event.dataset '::bsap_serial_header': - soc_timestamp - source.ip @@ -675,11 +733,13 @@ soc: - bsap.destination.function - bsap.message.type - log.id.uid + - event.dataset '::bsap_serial_rdb': - soc_timestamp - bsap.rdb.function - bsap.vector.variables - log.id.uid + - event.dataset '::cip': - soc_timestamp - source.ip @@ -699,6 +759,7 @@ soc: - cip.device.type.name - cip.vendor.name - log.id.uid + - event.dataset '::cip_io': - soc_timestamp - source.ip @@ -708,6 +769,7 @@ soc: - cip.connection.id - cip.io.data - log.id.uid + - event.dataset '::cotp': - soc_timestamp - source.ip @@ -716,6 +778,7 @@ soc: - destination.port - cotp.pdu.name - log.id.uid + - event.dataset '::ecat_arp_info': - soc_timestamp - source.ip @@ -723,6 +786,7 @@ soc: - source.mac - destination.mac - ecat.arp.type + - event.dataset '::ecat_aoe_info': - soc_timestamp - source.mac @@ -730,6 +794,7 @@ soc: - destination.mac - destination.port - ecat.command + - event.dataset '::ecat_coe_info': - soc_timestamp - ecat.message.number @@ -737,6 +802,7 @@ soc: - ecat.request.response.type - ecat.index - ecat.sub.index + - event.dataset '::ecat_dev_info': - soc_timestamp - ecat.device.type @@ -744,17 +810,20 @@ soc: - ecat.ram.size - ecat.revision - ecat.slave.address + - event.dataset '::ecat_log_address': - soc_timestamp - source.mac - destination.mac - ecat.command + - event.dataset '::ecat_registers': - soc_timestamp - source.mac - destination.mac - ecat.command - ecat.register.type + - event.dataset '::enip': - soc_timestamp - source.ip @@ -773,6 +842,7 @@ soc: - destination.port - modbus.function - log.id.uid + - event.dataset '::opcua_binary': - soc_timestamp - source.ip @@ -782,6 +852,7 @@ soc: - opcua.identifier_string - opcua.message_type - log.id.uid + - event.dataset '::opcua_binary_activate_session': - soc_timestamp - source.ip @@ -792,6 +863,7 @@ soc: - opcua.identifier_string - opcua.user_name - log.id.uid + - event.dataset '::opcua_binary_activate_session_diagnostic_info': - soc_timestamp - source.ip @@ -801,6 +873,7 @@ soc: - opcua.activate_session_diag_info_link_id - opcua.diag_info_link_id - log.id.uid + - event.dataset '::opcua_binary_activate_session_locale_id': - soc_timestamp - source.ip @@ -810,6 +883,7 @@ soc: - opcua.local_id - opcua.locale_link_id - log.id.uid + - event.dataset '::opcua_binary_browse': - soc_timestamp - source.ip @@ -819,6 +893,7 @@ soc: - opcua.link_id - opcua.service_type - log.id.uid + - event.dataset '::opcua_binary_browse_description': - soc_timestamp - source.ip @@ -826,6 +901,7 @@ soc: - destination.ip - destination.port - log.id.uid + - event.dataset '::opcua_binary_browse_response_references': - soc_timestamp - source.ip @@ -835,6 +911,7 @@ soc: - opcua.node_class - opcua.display_name_text - log.id.uid + - event.dataset '::opcua_binary_browse_result': - soc_timestamp - source.ip @@ -843,6 +920,7 @@ soc: - destination.port - opcua.response_link_id - log.id.uid + - event.dataset '::opcua_binary_create_session': - soc_timestamp - source.ip @@ -851,6 +929,7 @@ soc: - destination.port - opcua.link_id - log.id.uid + - event.dataset '::opcua_binary_create_session_endpoints': - soc_timestamp - source.ip @@ -860,6 +939,7 @@ soc: - opcua.endpoint_link_id - opcua.endpoint_url - log.id.uid + - event.dataset '::opcua_binary_create_session_user_token': - soc_timestamp - source.ip @@ -868,6 +948,7 @@ soc: - destination.port - opcua.user_token_link_id - log.id.uid + - event.dataset '::opcua_binary_create_subscription': - soc_timestamp - source.ip @@ -876,6 +957,7 @@ soc: - destination.port - opcua.link_id - log.id.uid + - event.dataset '::opcua_binary_get_endpoints': - soc_timestamp - source.ip @@ -885,6 +967,7 @@ soc: - opcua.endpoint_url - opcua.link_id - log.id.uid + - event.dataset '::opcua_binary_get_endpoints_description': - soc_timestamp - source.ip @@ -894,6 +977,7 @@ soc: - opcua.endpoint_description_link_id - opcua.endpoint_uri - log.id.uid + - event.dataset '::opcua_binary_get_endpoints_user_token': - soc_timestamp - source.ip @@ -903,6 +987,7 @@ soc: - opcua.user_token_link_id - opcua.user_token_type - log.id.uid + - event.dataset '::opcua_binary_read': - soc_timestamp - source.ip @@ -912,6 +997,7 @@ soc: - opcua.link_id - opcua.read_results_link_id - log.id.uid + - event.dataset '::opcua_binary_status_code_detail': - soc_timestamp - source.ip @@ -921,6 +1007,7 @@ soc: - opcua.info_type_string - opcua.source_string - log.id.uid + - event.dataset '::profinet': - soc_timestamp - source.ip @@ -930,6 +1017,7 @@ soc: - profinet.index - profinet.operation_type - log.id.uid + - event.dataset '::profinet_dce_rpc': - soc_timestamp - source.ip @@ -938,6 +1026,7 @@ soc: - destination.port - profinet.operation - log.id.uid + - event.dataset '::s7comm': - soc_timestamp - source.ip @@ -947,6 +1036,7 @@ soc: - s7.ros.control.name - s7.function.name - log.id.uid + - event.dataset '::s7comm_plus': - soc_timestamp - source.ip @@ -956,6 +1046,7 @@ soc: - s7.opcode.name - s7.version - log.id.uid + - event.dataset '::s7comm_read_szl': - soc_timestamp - source.ip @@ -965,6 +1056,7 @@ soc: - s7.szl_id_name - s7.return_code_name - log.id.uid + - event.dataset '::s7comm_upload_download': - soc_timestamp - source.ip @@ -974,6 +1066,7 @@ soc: - s7.ros.control.name - s7.function_code - log.id.uid + - event.dataset '::tds': - soc_timestamp - source.ip