Skip to content

feat(dashboards): add Shadow Mode dashboard, rebuild value_tags, fix … #672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
scottbrumley merged 1 commit into from
Mar 20, 2026
Merged

feat(dashboards): add Shadow Mode dashboard, rebuild value_tags, fix … #672

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
407 changes: 226 additions & 181 deletions Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json
View file
Open in desktop

Large diffs are not rendered by default.

257 changes: 69 additions & 188 deletions Packs/soc-optimization-unified/Lookup/value_tags.json
View file
Open in desktop

Large diffs are not rendered by default.

198 changes: 99 additions & 99 deletions Packs/soc-optimization-unified/Playbooks/Foundation_-_Enrichment_V3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
fromversion: 5.0.0
fromversion: 8.0.0
id: Foundation - Enrichment_V3
version: 13
contentitemexportablefields:
contentitemfields:
packID: soc-optimization-unified
packName: SOC Framework Unified
itemVersion: 3.3.13
fromServerVersion: 5.0.0
fromServerVersion: 8.0.0
toServerVersion: ""
definitionid: ""
prevname: ""
Expand All @@ -18,8 +18,8 @@ description: |
Identifies the core fields present and starts tailored enrichment pipelines
Generates threat flags based on findings (ex: if we identify a domain controller or admin account)
tags:
- SOC
- SOC_Framework_Unified
- SOC
- SOC_Framework_Unified
starttaskid: "0"
tasks:
"0":
Expand All @@ -36,7 +36,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "33"
- "33"
separatecontext: false
continueonerrortype: ""
view: |-
Expand Down Expand Up @@ -105,18 +105,18 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "35"
- "36"
- "37"
- "38"
- "35"
- "36"
- "37"
- "38"
scriptarguments:
key:
simple: SOCFramework.Artifacts.CategoryType
value:
complex:
root: inputs.CategoryType
transformers:
- operator: toLowerCase
- operator: toLowerCase
separatecontext: false
continueonerrortype: ""
view: |-
Expand Down Expand Up @@ -150,7 +150,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "4"
- "4"
scriptarguments:
ip:
simple: ${inputs.ip}
Expand Down Expand Up @@ -186,7 +186,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "60"
- "60"
separatecontext: false
continueonerrortype: ""
view: |-
Expand Down Expand Up @@ -218,7 +218,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "61"
- "61"
separatecontext: false
continueonerrortype: ""
view: |-
Expand Down Expand Up @@ -250,7 +250,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "62"
- "62"
separatecontext: false
continueonerrortype: ""
view: |-
Expand Down Expand Up @@ -282,7 +282,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "63"
- "63"
separatecontext: false
continueonerrortype: ""
view: |-
Expand Down Expand Up @@ -316,7 +316,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "4"
- "4"
scriptarguments:
file:
simple: ${inputs.file}
Expand Down Expand Up @@ -354,7 +354,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "4"
- "4"
scriptarguments:
domain:
simple: ${inputs.domain}
Expand Down Expand Up @@ -392,7 +392,7 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#none#':
- "4"
- "4"
scriptarguments:
url:
simple: ${inputs.url}
Expand Down Expand Up @@ -428,18 +428,18 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#default#':
- "4"
- "4"
"yes":
- "34"
- "34"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: SOCFramework.Artifacts.IP
iscontext: true
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: SOCFramework.Artifacts.IP
iscontext: true
continueonerrortype: ""
view: |-
{
Expand Down Expand Up @@ -470,18 +470,18 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#default#':
- "4"
- "4"
"yes":
- "39"
- "39"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: SOCFramework.Artifacts.File
iscontext: true
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: SOCFramework.Artifacts.File
iscontext: true
continueonerrortype: ""
view: |-
{
Expand Down Expand Up @@ -512,18 +512,18 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#default#':
- "4"
- "4"
"yes":
- "40"
- "40"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: SOCFramework.Artifacts.Domain
iscontext: true
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: SOCFramework.Artifacts.Domain
iscontext: true
continueonerrortype: ""
view: |-
{
Expand Down Expand Up @@ -554,18 +554,18 @@ tasks:
istaskmissingcomponenterrordismissed: false
nexttasks:
'#default#':
- "4"
- "4"
"yes":
- "41"
- "41"
separatecontext: false
conditions:
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: SOCFramework.Artifacts.URL
iscontext: true
- label: "yes"
condition:
- - operator: isNotEmpty
left:
value:
simple: SOCFramework.Artifacts.URL
iscontext: true
continueonerrortype: ""
view: |-
{
Expand Down Expand Up @@ -595,53 +595,53 @@ view: |-
}
}
inputs:
- key: CategoryType
value:
complex:
root: issue
accessor: categoryname
transformers:
- operator: toLowerCase
required: false
description: What Category of Alert is this? (malware, phishing, etc.)
playbookInputQuery: null
- key: ip
value:
simple: ${SOCFramework.Artifacts.IP}
required: false
description: ""
playbookInputQuery: null
- key: file
value:
simple: ${SOCFramework.Artifacts.File}
required: false
description: ""
playbookInputQuery: null
- key: url
value:
simple: ${SOCFramework.Artifacts.URL}
required: false
description: ""
playbookInputQuery: null
- key: domain
value:
simple: ${SOCFramework.Artifacts.Domain}
required: false
description: ""
playbookInputQuery: null
- key: CategoryType
value:
complex:
root: issue
accessor: categoryname
transformers:
- operator: toLowerCase
required: false
description: What Category of Alert is this? (malware, phishing, etc.)
playbookInputQuery: null
- key: ip
value:
simple: ${SOCFramework.Artifacts.IP}
required: false
description: ""
playbookInputQuery: null
- key: file
value:
simple: ${SOCFramework.Artifacts.File}
required: false
description: ""
playbookInputQuery: null
- key: url
value:
simple: ${SOCFramework.Artifacts.URL}
required: false
description: ""
playbookInputQuery: null
- key: domain
value:
simple: ${SOCFramework.Artifacts.Domain}
required: false
description: ""
playbookInputQuery: null
inputSections:
- inputs:
- CategoryType
- ip
- file
- url
- domain
name: General (Inputs group)
description: Generic group for inputs
- inputs:
- CategoryType
- ip
- file
- url
- domain
name: General (Inputs group)
description: Generic group for inputs
outputSections:
- outputs: []
name: General (Outputs group)
description: Generic group for outputs
- outputs: []
name: General (Outputs group)
description: Generic group for outputs
outputs: []
sourceplaybookid: Foundation - Enrichment_V3
dirtyInputs: true
Expand Down
Loading
Loading