weslambert
commented
1 year ago Analyzers/Plugins:
- bzar (disabled by default)
- icsnpp-bacnet
- icsnpp-bsap
- icsnpp-ethercat
- icsnpp-enip
- icsnpp-opcua-binary
- icsnpp-dnp3
- icsnpp-modbus
- icsnpp-s7comm
- zeek-plugin-profinet
- zeek-plugin-tds
- zeek-spicy-wireguard
- zeek-spicy-stun
- iamckn/oui-logging
https://github.com/Security-Onion-Solutions/securityonion-image/blob/dev/so-zeek/Dockerfile#L43-L59
Dashboards:
- ICS Overview
- ICS BACnet
- ICS BSAP
- ICS CIP
- ICS COTP
- ICS DNP3
- ICS ECAT
- ICS ENIP
- ICS Modbus
- ICS OPC UA
- ICS Profinet
- ICS S7
Hunt Event Fields:
- bacnet
- bacnet_discovery
- bacnet_property
- bsap_ip_header
- bsap_ip_rdb
- bsap_serial_header
- bsap_serial_rdb
- cip
- cip_identity
- cip_io
- cotp
- ecat_arp_info
- ecat_aoe_info
- ecat_coe_info
- ecat_dev_info
- ecat_log_address
- ecat_registers
- enip
- modbus_detailed
- opcua_binary
- opcua_binary_activate_session
- opcua_binary_activate_session_diagnostic_info
- opcua_binary_activate_session_locale_id
- opcua_binary_browse
- opcua_binary_browse_description
- opcua_binary_browse_response_references
- opcua_binary_browse_result
- opcua_binary_create_session
- opcua_binary_create_session_endpoints
- opcua_binary_create_session_user_token
- opcua_binary_create_subscription
- opcua_binary_get_endpoints
- opcua_binary_get_endpoints_description
- opcua_binary_get_endpoints_user_token
- opcua_binary_read
- opcua_binary_status_code_detail
- profinet
- profinet_dce_rpc
- s7comm
- s7comm_plus
- s7comm_read_szl
- s7comm_upload_download
- tds
- tds_rpc
- tds_sql_batch
Pipelines:
- zeek.bacnet
- zeek.bacnet_discovery
- zeek.bacnet_property
- zeek.bsap_ip_header
- zeek.bsap_ip_rdb
- zeek.bsap_ip_unknown
- zeek.bsap_serial_header
- zeek.bsap_serial_rdb
- zeek.bsap_serial_rdb_ext
- zeek.bsap_serial_unknown
- zeek.cip
- zeek.cip_identity
- zeek.cip_io
- zeek.cotp
- zeek.dnp3_control
- zeek.dnp3_objects
- zeek.ecat_aoe_info
- zeek.ecat_arp_info (ingestion disabled by default)
- zeek.ecat_coe_info
- zeek.ecat_dev_info
- zeek.ecat_foe_info
- zeek.ecat_soe_info
- zeek.ecat_log_address
- zeek.ecat_registers
- zeek.enip
- zeek.modbus_detailed
- zeek.modbus_mask_write_register
- zeek.modbus_read_write_multiple_registers
- zeek.opcua_binary
- zeek.opcua_binary_activate_session
- zeek.opcua_binary_activate_session_client_software_cert
- zeek.opcua_binary_activate_session_diagnostic_info
- zeek.opcua_binary_activate_session_locale_id
- zeek.opcua_binary_browse
- zeek.opcua_binary_browse_description
- zeek.opcua_binary_browse_diagnostic_info
- zeek.opcua_binary_browse_request_continuation_point
- zeek.opcua_binary_browse_response_references
- zeek.opcua_binary_browse_result
- zeek.opcua_binary_create_session
- zeek.opcua_binary_create_session_discovery
- zeek.opcua_binary_create_session_endpoints
- zeek.opcua_binary_create_session_user_token
- zeek.opcua_binary_create_subscription
- zeek.opcua_binary_diag_info_detail
- zeek.opcua_binary_get_endpoints
- zeek.opcua_binary_get_endpoints_description
- zeek.opcua_binary_get_endpoints_discovery
- zeek.opcua_binary_get_endpoints_locale_id
- zeek.opcua_binary_get_endpoints_profile_uri
- zeek.opcua_binary_get_endpoints_user_token
- zeek.opcua_binary_opensecure_channel
- zeek.opcua_binary_read
- zeek.opcua_binary_read_array_dims
- zeek.opcua_binary_read_array_dims_link
- zeek.opcua_binary_read_diagnostic_info
- zeek.opcua_binary_read_extension_object
- zeek.opcua_binary_read_extension_object_link
- zeek.opcua_binary_read_nodes_to_read
- zeek.opcua_binary_read_results
- zeek.opcua_binary_read_results_link
- zeek.opcua_binary_read_status_code
- zeek.opcua_binary_read_variant_data
- zeek.opcua_binary_read_variant_data_link
- zeek.opcua_binary_status_code_detail
- zeek.profinet
- zeek.profinet_dce_rpc
- zeek.s7comm
- zeek.s7comm_plus
- zeek.s7comm_read_szl
- zeek.s7comm_upload_download
- zeek.stun
- zeek.stun_nat
- zeek.tds
- zeek.tds_rpc
- zeek.tds_sql_batch
- zeek.wireguard
https://github.com/Security-Onion-Solutions/securityonion/tree/dev/salt/elasticsearch/files/ingest
New ICS Packages