-
Notifications
You must be signed in to change notification settings - Fork 0
/
Apricot-alerts.json
103 lines (100 loc) · 4.67 KB
/
Apricot-alerts.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
{
"name": "Apricot-alerts",
"items": [
{
"name": "Suricata | Snort Alerts Overview",
"value": "event_type==\"alert\" | count() by alert.signature | sort -r",
"description": "Displays a count of Suricata | Snort alerts grouped by signature"
},
{
"name": "Suricata | Snort Alerts by Severity and Category",
"value": "event_type==\"alert\" | count() by alert.severity,alert.category | sort count",
"description": "Shows all Suricata | Snort alert counts, grouped by category and severity"
},
{
"name": "Top Suricata | Snort Signatures",
"value": "event_type==\"alert\" | count() by alert.signature | sort -r",
"description": "Displays the most frequent Suricata | Snort alert signatures"
},
{
"name": "Suricata | Snort Alerts by Signature",
"value": "event_type==\"alert\" | count() by alert.signature | sort count",
"description": "Shows all Suricata | Snort alert counts, grouped by signature"
},
{
"name": "Suricata | Snort Alert Categories by Source and Destination",
"value": "event_type==\"alert\" | alerts := union(alert.category) by src_ip, dest_ip",
"description": "Shows a list of Suricata | Snort alert categories, grouped by unique source and destination IP addresses"
},
{
"name": "Suricata | Snort Alert Signatures by Source and Destination",
"value": "event_type==\"alert\" | alerts := union(alert.signature) by src_ip, dest_ip",
"description": "Shows a list of Suricata | Snort alert signatures, grouped by unique source and destination IP addresses"
},
{
"name": "Top Source Ports for Suricata | Snort Alerts",
"value": "event_type==\"alert\" | count() by src_port | sort -r",
"description": "Displays the top source ports for Suricata | Snort alerts"
},
{
"name": "Top Destination Ports for Suricata | Snort Alerts",
"value": "event_type==\"alert\" | count() by dest_port | sort -r",
"description": "Shows the top destination ports for Suricata | Snort alerts"
},
{
"name": "Suricata | Snort Alert Categories by Subnet",
"value": "event_type==\"alert\" | alerts := union(alert.category) by network_of(dest_ip)",
"description": "Shows a list of Suricata | Snort alert categories, grouped by CIDR network"
},
{
"name": "Suricata | Snort Alerts by Protocol",
"value": "event_type==\"alert\" | count() by proto | sort -r",
"description": "Shows a count of Suricata | Snort alerts grouped by protocol"
},
{
"name": "Suricata | Snort Alerts by Classification",
"value": "event_type==\"alert\" | count() by alert.classification | sort -r",
"description": "Displays a count of Suricata | Snort alerts grouped by classification"
},
{
"name": "Suricata | Snort Alerts Timeline",
"value": "event_type==\"alert\" | count() by ts := floor(ts, 1h) | sort ts",
"description": "Shows a timeline of Suricata | Snort alerts with counts per hour"
},
{
"name": "SSuricata | Snort Alerts by Priority",
"value": "event_type==\"alert\" | count() by alert.priority | sort -r",
"description": "Displays a count of Suricata | Snort alerts grouped by priority"
},
{
"name": "Suricata | Snort Alerts with Payload",
"value": "event_type==\"alert\" AND payload != null | cut ts, src_ip, dest_ip, proto, payload | sort -r ts",
"description": "Displays Suricata | Snort alerts that have payload data"
},
{
"name": "Suricata | Snort Alerts by Sensor",
"value": "event_type==\"alert\" | count() by sensor | sort -r",
"description": "Shows a count of Suricata | Snort alerts grouped by sensor"
},
{
"name": "Suricata | Snort Alerts by Network Segment",
"value": "event_type==\"alert\" | put segment := network_of(dest_ip) | count() by segment | sort -r",
"description": "Shows Suricata | Snort alerts grouped by network segment (based on destination IP)"
},
{
"name": "Suricata | Snort Alerts by Source IP",
"value": "event_type==\"alert\" | count() by src_ip | sort -r",
"description": "Shows a count of Suricata | Snort alerts grouped by source IP"
},
{
"name": "Suricata | Snort Alerts by Destination IP",
"value": "event_type==\"alert\" | count() by dest_ip | sort -r",
"description": "Shows a count of Suricata | Snort alerts grouped by Destination IP"
},
{
"name": "Web Application Firewall (WAF) Alerts",
"value": "event_type==\"alert\" AND alert.category==\"WAF\" | count() by alert.signature | sort -r",
"description": "Displays alerts generated by the Web Application Firewall"
}
]
}