API tools faq
paste
Guest User

Untitled

a guest
Oct 20th, 2020
52
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.23 KB | None | 0 0
raw download clone embed print report
  1.  
  2. {
  3. "logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
  4. "server": {
  5. "bindAddress": "0.0.0.0:9822",
  6. "baseUrl": "/",
  7. "maxPacketCount": 5000,
  8. "htmlDir": "html","airgapEnabled": true,
  9. "modules": {
  10. "filedatastore": {
  11. "jobDir": "jobs"
  12. },
  13. "kratos": {
  14. "hostUrl": "http://x.x.x.x:4434/"
  15. },
  16. "elastic": {
  17. "hostUrl": "http://x.x.x.x:9200",
  18. "username": "",
  19. "password": "",
  20. "verifyCert": false
  21. },
  22.  
  23. "thehive": {
  24. "hostUrl": "http://x.x.x.x:9000/thehive",
  25. "key": "bDDGLOhiNHgpaFje0Y6l",
  26. "verifyCert": false
  27. },
  28.  
  29. "statickeyauth": {
  30. "anonymousCidr": "172.17.0.0/24",
  31. "apiKey": "FVIS2s86wPYp4AVEBu9W"
  32. }
  33. },
  34. "client": {"docsUrl": "/docs/,
  35. "hunt": {
  36. "advanced": true,
  37. "groupItemsPerPage": 10,
  38. "groupFetchLimit": 10,
  39. "eventItemsPerPage": 10,
  40. "eventFetchLimit": 100,
  41. "relativeTimeValue": 24,
  42. "relativeTimeUnit": 30,
  43. "mostRecentlyUsedLimit": 5,
  44. "dismissEnabled": false,
  45. "escalateEnabled": true,
  46. "eventFields": {"::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id"], "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid"], "::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid"], "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_reply", "log.id.uid"], "::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id"], "::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid"], "::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid"], "::firewall": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.direction", "interface.name", "rule.action", "rule.reason", "network.community_id"], "::ftp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ftp.user", "ftp.command", "ftp.argument", "ftp.reply_code", "file.size", "log.id.uid"], "::http": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "http.method", "http.virtual_host", "http.status_code", "http.status_message", "http.request.body.length", "http.response.body.length", "log.id.uid", "network.community_id"], "::intel": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "intel.indicator", "intel.indicator_type", "intel.seen_where", "log.id.uid"], "::irc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "irc.username", "irc.nickname", "irc.command.type", "irc.command.value", "irc.command.info", "log.id.uid"], "::kerberos": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "kerberos.client", "kerberos.service", "kerberos.request_type", "log.id.uid"], "::modbus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid"], "::mysql": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "mysql.command", "mysql.argument", "mysql.success", "mysql.response", "log.id.uid"], "::notice": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "notice.note", "notice.message", "log.id.fuid", "log.id.uid", "network.community_id"], "::ntlm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ntlm.name", "ntlm.success", "ntlm.server.dns.name", "ntlm.server.nb.name", "ntlm.server.tree.name", "log.id.uid"], "::pe": ["soc_timestamp", "file.is_64bit", "file.is_exe", "file.machine", "file.os", "file.subsystem", "log.id.fuid"], "::radius": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "username", "radius.framed_address", "radius.reply_message", "radius.result"], "::rdp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rdp.client_build", "client_name", "rdp.cookie", "rdp.encryption_level", "rdp.encryption_method", "rdp.keyboard_layout", "rdp.result", "rdp.security_protocol", "log.id.uid"], "::rfb": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rfb.authentication.method", "rfb.authentication.success", "rfb.share_flag", "rfb.desktop.name", "log.id.uid"], "::signatures": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "note", "signature_id", "event_message", "sub_message", "signature_count", "host.count", "log.id.uid"], "::sip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "sip.method", "sip.uri", "sip.request.from", "sip.request.to", "sip.response.from", "sip.response.to", "sip.call_id", "sip.subject", "sip.user_agent", "sip.status_code", "log.id.uid"], "::smb_files": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.fuid", "file.action", "file.path", "file.name", "file.size", "file.prev_name", "log.id.uid"], "::smb_mapping": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smb.path", "smb.service", "smb.share_type", "log.id.uid"], "::smtp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smtp.from", "smtp.recipient_to", "smtp.subject", "smtp.useragent", "log.id.uid", "network.community_id"], "::snmp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "snmp.community", "snmp.version", "log.id.uid"], "::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid"], "::software": ["soc_timestamp", "source.ip", "software.name", "software.type"], "::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid"], "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid"], "::syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid"], "::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid"], "::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid"], "::x509": ["soc_timestamp", "x509.certificate.subject", "x509.certificate.key.type", "x509.certificate.key.length", "x509.certificate.issuer", "log.id.fuid"], ":osquery:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name"], ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location"], ":strelka:file": ["soc_timestamp", "scan.exiftool.OriginalFileName", "file.size", "hash.md5", "scan.exiftool.CompanyName", "scan.exiftool.Description", "scan.exiftool.Directory", "scan.exiftool.FileType", "scan.exiftool.FileOS", "log.id.fuid"], ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id"], ":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name"], ":windows_eventlog:": ["soc_timestamp", "user.name"], "default": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "network.community_id", "event.dataset"]},
  47. "queryBaseFilter": "",
  48. "queryToggleFilters": [],
  49. "queries": [{"description": "Show all events grouped by the origin host", "name": "Default Query", "query": "* | groupby observer.name"}, {"description": "Show all events grouped by module and dataset", "name": "Log Type", "query": "* | groupby event.module event.dataset"}, {"description": "", "name": "Elastalerts", "query": "_type:elastalert | groupby rule.name"}, {"description": "Show all alerts grouped by alert source", "name": "Alerts", "query": "event.dataset: alert | groupby event.module"}, {"description": "Show all NIDS alerts grouped by alert", "name": "NIDS Alerts", "query": "event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name"}, {"description": "Show all Wazuh alerts grouped by category", "name": "Wazuh/OSSEC Alerts", "query": "event.module:ossec AND event.dataset:alert | groupby rule.category rule.name"}, {"description": "Show all Wazuh alerts grouped by command line", "name": "Wazuh/OSSEC Commands", "query": "event.module:ossec AND event.dataset:alert | groupby process.command_line"}, {"description": "Show all Wazuh alerts grouped by process name", "name": "Wazuh/OSSEC Processes", "query": "event.module:ossec AND event.dataset:alert | groupby process.name.keyword"}, {"description": "Show all Wazuh alerts grouped by username", "name": "Wazuh/OSSEC Users", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword"}, {"description": "Show all Sysmon logs grouped by event type", "name": "Sysmon Events", "query": "event.module:sysmon | groupby event.dataset"}, {"description": "Show all Sysmon logs grouped by username", "name": "Sysmon Usernames", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"}, {"description": "Show all Strelka logs grouped by file type", "name": "Strelka", "query": "event.module:strelka | groupby scan.exiftool.FileType"}, {"description": "Show notices from Zeek", "name": "Zeek Notice", "query": "event.dataset:notice | groupby notice.note notice.message"}, {"description": "Connections grouped by IP and Port", "name": "Connections", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, {"description": "Connections grouped by Service", "name": "Connections", "query": "event.dataset:conn | groupby network.protocol destination.port"}, {"description": "Connections grouped by destination country", "name": "Connections", "query": "event.dataset:conn | groupby destination.geo.country_name"}, {"description": "Connections grouped by source country", "name": "Connections", "query": "event.dataset:conn | groupby source.geo.country_name"}, {"description": "DCE_RPC grouped by operation", "name": "DCE_RPC", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"}, {"description": "DHCP leases", "name": "DHCP", "query": "event.dataset:dhcp | groupby host.hostname host.domain"}, {"description": "DHCP grouped by message type", "name": "DHCP", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, {"description": "DNP3 grouped by reply", "name": "DNP3", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"}, {"description": "DNS queries grouped by port", "name": "DNS", "query": "event.dataset:dns | groupby dns.query.name destination.port"}, {"description": "DNS queries grouped by type", "name": "DNS", "query": "event.dataset:dns | groupby dns.query.type_name destination.port"}, {"description": "DNS queries grouped by response code", "name": "DNS", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, {"description": "DNS highest registered domain", "name": "DNS", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, {"description": "DNS grouped by parent domain", "name": "DNS", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, {"description": "Dynamic Protocol Detection errors", "name": "DPD", "query": "event.dataset:dpd | groupby error.reason"}, {"description": "Files grouped by mimetype", "name": "Files", "query": "event.dataset:file | groupby file.mime_type source.ip"}, {"description": "Files grouped by source", "name": "Files", "query": "event.dataset:file | groupby file.source source.ip"}, {"description": "FTP grouped by command and argument", "name": "FTP", "query": "event.dataset:ftp | groupby ftp.command ftp.argument"}, {"description": "FTP grouped by username and argument", "name": "FTP", "query": "event.dataset:ftp | groupby ftp.user ftp.argument"}, {"description": "HTTP grouped by destination port", "name": "HTTP", "query": "event.dataset:http | groupby destination.port"}, {"description": "HTTP grouped by status code and message", "name": "HTTP", "query": "event.dataset:http | groupby http.status_code http.status_message"}, {"description": "HTTP grouped by method and user agent", "name": "HTTP", "query": "event.dataset:http | groupby http.method http.useragent"}, {"description": "HTTP grouped by virtual host", "name": "HTTP", "query": "event.dataset:http | groupby http.virtual_host"}, {"description": "HTTP with exe downloads", "name": "HTTP", "query": "event.dataset:http AND file.resp_mime_types:dosexec | groupby http.virtual_host"}, {"description": "Intel framework hits grouped by indicator", "name": "Intel", "query": "event.dataset:intel | groupby intel.indicator.keyword"}, {"description": "IRC grouped by command", "name": "IRC", "query": "event.dataset:irc | groupby irc.command.type"}, {"description": "KERBEROS grouped by service", "name": "KERBEROS", "query": "event.dataset:kerberos | groupby kerberos.service"}, {"description": "MODBUS grouped by function", "name": "MODBUS", "query": "event.dataset:modbus | groupby modbus.function"}, {"description": "MYSQL grouped by command", "name": "MYSQL", "query": "event.dataset:mysql | groupby mysql.command"}, {"description": "Zeek notice logs grouped by note and message", "name": "NOTICE", "query": "event.dataset:notice | groupby notice.note notice.message"}, {"description": "NTLM grouped by computer name", "name": "NTLM", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name"}, {"description": "PE files list", "name": "PE", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"}, {"description": "RADIUS grouped by username", "name": "RADIUS", "query": "event.dataset:radius | groupby user.name.keyword"}, {"description": "RDP grouped by client name", "name": "RDP", "query": "event.dataset:rdp | groupby client.name"}, {"description": "RFB grouped by desktop name", "name": "RFB", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword"}, {"description": "Zeek signatures grouped by signature id", "name": "Signatures", "query": "event.dataset:signatures | groupby signature_id"}, {"description": "SIP grouped by user agent", "name": "SIP", "query": "event.dataset:sip | groupby client.user_agent"}, {"description": "SMB files grouped by action", "name": "SMB_Files", "query": "event.dataset:smb_files | groupby file.action"}, {"description": "SMB mapping grouped by path", "name": "SMB_Mapping", "query": "event.dataset:smb_mapping | groupby smb.path"}, {"description": "SMTP grouped by subject", "name": "SMTP", "query": "event.dataset:smtp | groupby smtp.subject"}, {"description": "SNMP grouped by version and string", "name": "SNMP", "query": "event.dataset:snmp | groupby snmp.community snmp.version"}, {"description": "List of software seen on the network", "name": "Software", "query": "event.dataset:software | groupby software.type software.name"}, {"description": "SSH grouped by version", "name": "SSH", "query": "event.dataset:ssh | groupby ssh.version"}, {"description": "SSL grouped by version and server name", "name": "SSL", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"}, {"description": "SYSLOG grouped by severity and facility ", "name": "SYSLOG", "query": "event.dataset:syslog | groupby syslog.severity syslog.facility"}, {"description": "Tunnels grouped by action", "name": "Tunnel", "query": "event.dataset:tunnel | groupby event.action"}, {"description": "Zeek weird log grouped by name", "name": "Weird", "query": "event.dataset:weird | groupby weird.name"}, {"description": "x.509 grouped by key length and name", "name": "x509", "query": "event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns"}, {"description": "x.509 grouped by name and issuer", "name": "x509", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"}, {"description": "x.509 grouped by name and subject", "name": "x509", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.subject"}, {"description": "Firewall events grouped by action", "name": "Firewall", "query": "event.dataset:firewall | groupby rule.action"}],
  50. "actions": [{"description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "name": "", "target": ""}, {"description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "name": "", "target": ""}, {"description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "name": "", "target": "_blank"}, {"description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "name": "actionVirusTotal", "target": "_blank"}]
  51. },
  52. "alerts": {
  53. "advanced": false,
  54. "groupItemsPerPage": 50,
  55. "groupFetchLimit": 500,
  56. "eventItemsPerPage": 50,
  57. "eventFetchLimit": 500,
  58. "relativeTimeValue": 24,
  59. "relativeTimeUnit": 30,
  60. "mostRecentlyUsedLimit": 5,
  61. "dismissEnabled": true,
  62. "escalateEnabled": true,
  63. "eventFields": {":ossec:": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name"], "default": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.uuid", "rule.category", "rule.rev"]},
  64. "queryBaseFilter": "event.dataset:alert",
  65. "queryToggleFilters": [
  66. { "name": "acknowledged", "filter": "event.acknowledged:true", "enabled": false, "exclusive": true },
  67. { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] }
  68. ],
  69. "queries": [{"name": "Group By Name, Module", "query": "* | groupby rule.name event.module event.severity_label"}, {"name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label"}, {"name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name event.severity_label"}, {"name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name event.severity_label"}, {"name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name event.severity_label"}, {"name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name event.severity_label"}, {"name": "Ungroup", "query": "*"}],
  70. "actions": [{"description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "name": "", "target": ""}, {"description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "name": "", "target": ""}, {"description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "name": "", "target": "_blank"}, {"description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "name": "actionVirusTotal", "target": "_blank"}]
  71. }
  72. }
  73. }
  74. }
  75.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!