Populate standard/default query lib

[mason-fish]

Once we have finished building the query lib, we intend to include some standard queries that most people would find useful. Let's build that starter lib!

[philrz]

As we discussed in a recent group meeting, let's make sure one of the out-of-the-box queries highlights the Suricata events. This would give us a place to highlight the new data even if we don't yet have other fancier visualizations specific to Suricata data. We could use community feedback to adjust this or add alternatives if we don't get it right the first time.

My proposal would be:

event_type=alert | count() by alert.severity,alert.category | sort count

With the example of the our test data all.pcap, this gives:

[orochford]

Name: Activity Overview
ZQL: count() by _path | sort -r
Description: This query shows a list of all Zeek streams in the data set, with a count of associated records
Tags: zeek, initial_exploration

[orochford]

Name: Unique DNS Queries
ZQL: _path=dns | count() by query | sort -r
Description: Shows all unique DNS queries contained in the data set with count
Tags: dns, initial_exploration

[orochford]

Name: Windows Networking Activity
ZQL: _path=~smb* OR _path=dce_rpc
Description: Filters and displays smb_files, smb_mapping and DCE_RPC activity
Tags: windows, smb, malware

[orochford]

Name: HTTP Requests
ZQL: _path=http | cut id.orig_h, id.resp_h, id.resp_p, method,host, uri | uniq -c
Description: Displays a list of the count unique HTTP requests including source and destination
Tags: http, initial_exploration, malware

[orochford]

Name: Unique Network Connections
ZQL: _path=conn | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq
Description: Displays a table showing all unique source:port:destination connections pairings
Tags: network, initial_exploration

[orochford]

Name:
ZQL: _path=conn | put total_bytes = orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
Description: Shows the connections between hosts, sorted by data received
Tags: network

[orochford]

Name: File Activity
ZQL: filename!=null | cut _path, tx_hosts, rx_hosts, conn_uids, mime_type, filename, md5, sha1
Description: Displays a curated view of file data including md5 and sha1 for complete file transfers
Tags: files, malware

[orochford]

Name: HTTP Post Requests
ZQL: method=POST | cut ts, uid, id, method, uri, status_code
Description: Displays all HTTP Post requests including the URI and HTTP status code
Tags: http, malware

[orochford]

Name: Show IP Subnets
ZQL: _path=conn | put classnet=network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
Description: Enumerates the associated IP subclasses for all destination IP-addresses including count of connections.
Tags: network

[orochford]

Name: Suricata Alerts by Source and Destination
ZQL: event_type=alert | alerts=union(alert.category) by src_ip, dest_ip
Description: Shows all suricata alerts in a list by unique source and destination IP addresses
Tags: suricata, malware

[orochford]

Name: Suricata Alerts by Subnet
ZQL: event_type=alert | alerts=union(alert.category) by network_of(dest_ip)
Description: Displays a list of Suricata Alerts by CIDR IP Subnets
Tags: suricata, malware

[philrz]

These were verified as part of #1081.