mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-08 20:37:12 +00:00
marc
7c1687efce
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).
Preserved fork additions:
backend/routers/quality.py KV scanner, pattern refs, JS keys, JSON mode,
/parsers + /sync-from-sdl endpoints
parsers/ 96 OCSF + tenant parsers
tools/stormshield-verify/ end-to-end ingest regression test
.gitignore un-ignored parsers/*
CHANGES.md, PATCHES.md
160 lines
4.7 KiB
Plaintext
160 lines
4.7 KiB
Plaintext
{
|
|
"duration": "24h",
|
|
"description": "MITRE ATT&CK technique coverage from OCSF detections",
|
|
"graphs": [
|
|
{
|
|
"title": "MITRE ATT&CK Coverage",
|
|
"graphStyle": "markdown",
|
|
"markdown": "## MITRE ATT&CK Technique Counters\\n\\nEach panel shows the count of events matching a specific MITRE technique pattern.\\n\\n| Technique | Description | Detection Pattern |\\n|---|---|---|\\n| T1110 | Brute Force | Failed password attempts |\\n| T1046 | Network Scanning | Firewall denies to multiple ports |\\n| T1059 | Command Execution | bash -c, powershell -enc |\\n| T1078 | Valid Accounts | root/admin/SYSTEM usage |\\n| T1098 | Account Manipulation | useradd, GRANT |\\n| T1548 | Privilege Escalation | sudo, NOT in sudoers |",
|
|
"layout": {
|
|
"w": 60,
|
|
"h": 12,
|
|
"x": 0,
|
|
"y": 0
|
|
}
|
|
},
|
|
{
|
|
"title": "T1110 - Brute Force",
|
|
"graphStyle": "number",
|
|
"query": "serverHost contains 'ocsf' (message contains 'Failed password' or message contains 'authentication failure') | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 0,
|
|
"y": 12
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1046 - Network Scanning",
|
|
"graphStyle": "number",
|
|
"query": "serverHost contains 'ocsf' action = 'deny' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 15,
|
|
"y": 12
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1059 - Command Execution",
|
|
"graphStyle": "number",
|
|
"query": "serverHost contains 'ocsf' (message contains 'bash -c' or message contains 'python -c' or message contains 'powershell -enc' or message contains 'cmd.exe /c') | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 30,
|
|
"y": 12
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1078 - Valid Accounts",
|
|
"graphStyle": "number",
|
|
"query": "serverHost contains 'ocsf' (user_name = 'root' or user_name = 'Administrator' or user_name = 'admin' or user_name = 'SYSTEM') | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 45,
|
|
"y": 12
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1098 - Account Manipulation",
|
|
"graphStyle": "number",
|
|
"query": "serverHost contains 'ocsf' (message contains 'useradd' or message contains 'usermod' or message contains 'GRANT' or message contains 'Add member') | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 0,
|
|
"y": 19
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1548 - Privilege Escalation",
|
|
"graphStyle": "number",
|
|
"query": "serverHost contains 'ocsf' (message contains 'sudo' or message contains 'NOT in sudoers') | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 15,
|
|
"y": 19
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1021 - Remote Services",
|
|
"graphStyle": "number",
|
|
"query": "serverHost contains 'ocsf' (dstport = 22 or dstport = 3389 or dstport = 5985) action = 'allow' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 30,
|
|
"y": 19
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1136 - Create Account",
|
|
"graphStyle": "number",
|
|
"query": "serverHost contains 'ocsf' (message contains 'useradd' or message contains 'new user' or message contains 'CREATE USER') | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 45,
|
|
"y": 19
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "Detections Over Time",
|
|
"graphStyle": "stacked_bar",
|
|
"xAxis": "time",
|
|
"query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp",
|
|
"layout": {
|
|
"w": 40,
|
|
"h": 14,
|
|
"x": 0,
|
|
"y": 26
|
|
}
|
|
},
|
|
{
|
|
"title": "Top Attacker IPs",
|
|
"graphStyle": "table",
|
|
"query": "src_ip = * serverHost contains 'ocsf' (message contains 'Failed' or message contains 'deny' or action = 'deny') | group hits=count() by src_ip | sort -hits | limit 10",
|
|
"layout": {
|
|
"w": 20,
|
|
"h": 14,
|
|
"x": 40,
|
|
"y": 26
|
|
}
|
|
}
|
|
]
|
|
} |