From 20d2f3b97e6170fb3216e6cfece9f9740582f5ba Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 12 Feb 2024 19:13:32 -0500 Subject: [PATCH 1/2] Update Sublime action in defaults.yaml to use i18n --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 31b6eb5886..341bee64a3 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -59,8 +59,8 @@ soc: target: _blank links: - 'https://www.virustotal.com/gui/search/{value}' - - name: Sublime Platform Email Review - description: Review email in Sublime Platform + - name: actionSublime + description: actionSublimeHelp icon: fa-external-link-alt target: _blank links: From 0ad39a7e327131c533958526fa3ed96f71565293 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 12 Feb 2024 19:18:29 -0500 Subject: [PATCH 2/2] FEATURE: Add new SOC action to show process ancestry #12345 --- salt/soc/defaults.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 341bee64a3..7573854c64 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -65,6 +65,12 @@ soc: target: _blank links: - 'https://{:sublime.url}/messages/{:sublime.message_group_id}' + - name: actionProcessAncestors + description: actionProcessAncestorsHelp + icon: fa-people-roof + target: '' + links: + - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby event.module event.dataset | table soc_timestamp event.dataset user.name process.executable process.command_line process.working_directory' eventFields: default: - soc_timestamp