mirror of
https://github.com/marcredhat/SIEM-toolkit-patched
synced 2026-06-08 20:37:12 +00:00
marc
a9dcf48e65
The original upstream gitignores parsers/* on the assumption that each tenant has its own set. This fork commits a working snapshot so the Parser Test Runner and Parser Coverage features are usable out of the box. Stormshield parser exercises the new SDL key=value scanner, pattern references, and JS-style unquoted format keys added to backend/routers/quality.py.
160 lines
4.3 KiB
Plaintext
160 lines
4.3 KiB
Plaintext
{
|
|
"duration": "24h",
|
|
"description": "MITRE ATT&CK technique coverage from OCSF detections",
|
|
"graphs": [
|
|
{
|
|
"title": "MITRE ATT&CK Coverage",
|
|
"graphStyle": "markdown",
|
|
"markdown": "## MITRE ATT&CK Technique Counters\nEach panel shows the count of events matching a specific MITRE technique pattern.\n\n| Technique | Description |\n|---|---|\n| T1110 | Brute Force |\n| T1046 | Network Service Scanning |\n| T1059 | Command and Scripting Interpreter |\n| T1078 | Valid Accounts |\n| T1098 | Account Manipulation |\n| T1548 | Abuse Elevation Control Mechanism |",
|
|
"layout": {
|
|
"w": 60,
|
|
"h": 10,
|
|
"x": 0,
|
|
"y": 0
|
|
}
|
|
},
|
|
{
|
|
"title": "T1110 - Brute Force",
|
|
"graphStyle": "number",
|
|
"query": "message contains 'Failed password' or message contains 'authentication failure' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 0,
|
|
"y": 10
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1046 - Network Scanning",
|
|
"graphStyle": "number",
|
|
"query": "action = 'deny' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 15,
|
|
"y": 10
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1059 - Command Execution",
|
|
"graphStyle": "number",
|
|
"query": "message contains 'bash -c' or message contains 'python -c' or message contains 'powershell -enc' or message contains 'cmd.exe /c' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 30,
|
|
"y": 10
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1078 - Valid Accounts",
|
|
"graphStyle": "number",
|
|
"query": "user_name = 'root' or user_name = 'Administrator' or user_name = 'admin' or user_name = 'SYSTEM' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 45,
|
|
"y": 10
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1098 - Account Manipulation",
|
|
"graphStyle": "number",
|
|
"query": "message contains 'useradd' or message contains 'usermod' or message contains 'GRANT' or message contains 'Add member' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 0,
|
|
"y": 17
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1548 - Privilege Escalation",
|
|
"graphStyle": "number",
|
|
"query": "message contains 'sudo' or message contains 'NOT in sudoers' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 15,
|
|
"y": 17
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1021 - Remote Services",
|
|
"graphStyle": "number",
|
|
"query": "(dstport = 22 or dstport = 3389 or dstport = 5985) action = 'allow' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 30,
|
|
"y": 17
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "T1136 - Create Account",
|
|
"graphStyle": "number",
|
|
"query": "message contains 'useradd' or message contains 'new user' or message contains 'CREATE USER' | group count() | limit 1",
|
|
"layout": {
|
|
"w": 15,
|
|
"h": 7,
|
|
"x": 45,
|
|
"y": 17
|
|
},
|
|
"options": {
|
|
"format": "auto",
|
|
"precision": "0"
|
|
}
|
|
},
|
|
{
|
|
"title": "Detections Over Time",
|
|
"graphStyle": "stacked_bar",
|
|
"xAxis": "time",
|
|
"query": "serverHost contains 'ocsf' | group count() by timestamp=timebucket('1h'), serverHost | transpose serverHost on timestamp",
|
|
"layout": {
|
|
"w": 40,
|
|
"h": 14,
|
|
"x": 0,
|
|
"y": 24
|
|
}
|
|
},
|
|
{
|
|
"title": "Top Attacker IPs",
|
|
"graphStyle": "table",
|
|
"query": "src_ip = * (message contains 'Failed' or message contains 'deny' or action = 'deny') | group hits=count() by src_ip | sort -hits | limit 10",
|
|
"layout": {
|
|
"w": 20,
|
|
"h": 14,
|
|
"x": 40,
|
|
"y": 24
|
|
}
|
|
}
|
|
]
|
|
} |