CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/2.4/dev' into 2.4/elastic-fleet

Browse Source
This commit is contained in:
Josh Brower
2022-09-09 15:08:25 -04:00
parent 921d644a0b 54f7cefa28
commit 09a1032f77
50 changed files with 8092 additions and 2151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

301
salt/common/tools/sbin/so-status Normal file
View File

@@ -0,0 +1,301 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
if ! [ "$(id -u)" = 0 ]; then
echo "This command must be run as root"
exit 1
fi
display_help() {
cat <<HELP_USAGE
$0 [-h] [-q|--quiet]
-h Show this message.
-q|--quiet Suppress the output and only return a
single status code for overall status
0:Ok, 1:Error, 2:Starting/Pending, 99:Installing SO
HELP_USAGE
}
# Constants
QUIET=false
EXITCODE=0
SYSTEM_START_TIME=$(date -d "$(</proc/uptime awk '{print $1}') seconds ago" +%s)
# file populated by salt.lasthighstate state at end of successful highstate run
LAST_HIGHSTATE_END=$([ -e "/opt/so/log/salt/lasthighstate" ] && date -r /opt/so/log/salt/lasthighstate +%s || echo 0)
LAST_SOSETUP_LOG=$([ -e "/root/sosetup.log" ] && date -r /root/sosetup.log +%s || echo 0)
HIGHSTATE_RUNNING=$(salt-call --local saltutil.running --out=json | jq -r '.local[].fun' | grep -q 'state.highstate' && echo $?)
ERROR_STRING="ERROR"
SUCCESS_STRING="OK"
PENDING_STRING="PENDING"
MISSING_STRING='MISSING'
DISABLED_STRING='DISABLED'
WAIT_START_STRING='WAIT_START'
STARTING_STRING='STARTING'
CALLER=$(ps -o comm= $PPID)
declare -a BAD_STATUSES=("removing" "paused" "exited" "dead")
declare -a PENDING_STATUSES=("paused" "created" "restarting")
declare -a GOOD_STATUSES=("running")
declare -a DISABLED_CONTAINERS=()
mapfile -t DISABLED_CONTAINERS < <(sort -u /opt/so/conf/so-status/so-status.conf | grep "^\s*#" | tr -d "#")
declare -a temp_container_name_list=()
declare -a temp_container_state_list=()
declare -a container_name_list=()
declare -a container_state_list=()
declare -a expected_container_list=()
# {% raw %}
compare_lists() {
local found=0
create_expected_container_list
if [[ ${#expected_container_list[@]} = 0 ]]; then
container_name_list="${temp_container_name_list[*]}"
container_state_list="${temp_container_state_list[*]}"
return 1
fi
for intended_item in "${expected_container_list[@]}"; do
found=0
for i in "${!temp_container_name_list[@]}"; do
[[ ${temp_container_name_list[$i]} = "$intended_item" ]] \
&& found=1 \
&& container_name_list+=("${temp_container_name_list[$i]}") \
&& container_state_list+=("${temp_container_state_list[$i]}") \
&& break
done
if [[ $found = 0 ]]; then
container_name_list+=("$intended_item")
container_state_list+=("missing")
fi
done
}
# {% endraw %}
create_expected_container_list() {
mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf | tr -d "#")
}
populate_container_lists() {
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \
| jq -c '.[] | { Name: .Names[0], State: .State }' \
| tr -d '/{"}')
else
exit 1
fi
local container_name=""
local container_state=""
for line in "${docker_raw_list[@]}"; do
container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names)
container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states)
temp_container_name_list+=( "${container_name}" )
temp_container_state_list+=( "${container_state}" )
done
compare_lists
}
parse_status() {
local service_name=${1}
local container_state=${2}
for state in "${GOOD_STATUSES[@]}"; do
[[ $container_state = "$state" ]] && [[ $QUIET = "false" ]] && printf $SUCCESS_STRING && return 0 || [[ $container_state = "$state" ]] && return 0
done
for state in "${BAD_STATUSES[@]}"; do
[[ " ${DISABLED_CONTAINERS[@]} " =~ " ${service_name} " ]] && [[ $QUIET = "false" ]] && printf $DISABLED_STRING && return 0 || [[ " ${DISABLED_CONTAINERS[@]} " =~ " ${service_name} " ]] && return 0
done
# if a highstate has finished running since the system has started
# then the containers should be running so let's check the status
if [ $LAST_HIGHSTATE_END -ge $SYSTEM_START_TIME ]; then
[[ $container_state = "missing" ]] && [[ $QUIET = "false" ]] && printf $MISSING_STRING && return 1 || [[ $container_state = "missing" ]] && [[ "$EXITCODE" -lt 2 ]] && EXITCODE=1 && return 1
for state in "${PENDING_STATUSES[@]}"; do
[[ $container_state = "$state" ]] && [[ $QUIET = "false" ]] && printf $PENDING_STRING && return 0
done
# This is technically not needed since the default is error state
for state in "${BAD_STATUSES[@]}"; do
[[ $container_state = "$state" ]] && [[ $QUIET = "false" ]] && printf $ERROR_STRING && return 1 || [[ $container_state = "$state" ]] && [[ "$EXITCODE" -lt 2 ]] && EXITCODE=1 && return 1
done
[[ $QUIET = "false" ]] && printf $ERROR_STRING && return 1 || [[ "$EXITCODE" -lt 2 ]] && EXITCODE=1 && return 1
# if a highstate has not run since system start time, but a highstate is currently running
# then show that the containers are STARTING
elif [[ "$HIGHSTATE_RUNNING" == 0 ]]; then
[[ $QUIET = "false" ]] && printf $STARTING_STRING && return 2 || EXITCODE=2 && return 2
# if a highstate has not finished running since system startup and isn't currently running
# then just show that the containers are WAIT_START; waiting to be started
else
[[ $QUIET = "false" ]] && printf $WAIT_START_STRING && return 2 || EXITCODE=2 && return 2
fi
}
# {% raw %}
print_line() {
local service_name=${1}
local service_state="$( parse_status ${1} ${2} )"
local columns=$(tput cols)
local state_color="\e[0m"
local PADDING_CONSTANT=15
if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
state_color="\e[1;31m"
if [[ "$EXITCODE" -eq 0 ]]; then
EXITCODE=1
fi
elif [[ $service_state = "$SUCCESS_STRING" ]]; then
state_color="\e[1;32m"
elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then
state_color="\e[1;33m"
EXITCODE=2
fi
printf " $service_name "
for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
printf "${state_color}%b\e[0m" "-"
done
printf " [ "
printf "${state_color}%b\e[0m" "$service_state"
printf "%s \n" " ]"
}
non_term_print_line() {
local service_name=${1}
local service_state="$( parse_status ${1} ${2} )"
if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
if [[ "$EXITCODE" -eq 0 ]]; then
EXITCODE=1
fi
elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then
EXITCODE=2
fi
printf " $service_name "
for i in $(seq 0 $(( 35 - ${#service_name} - ${#service_state} ))); do
printf "-"
done
printf " [ "
printf "$service_state"
printf "%s \n" " ]"
}
main() {
# if running from salt
if [ "$CALLER" == 'salt-call' ] || [ "$CALLER" == 'salt-minion' ]; then
printf "\n"
printf "Checking Docker status\n\n"
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
non_term_print_line "Docker" "running"
else
non_term_print_line "Docker" "exited"
fi
populate_container_lists
printf "\n"
printf "Checking container statuses\n\n"
local num_containers=${#container_name_list[@]}
for i in $(seq 0 $(($num_containers - 1 ))); do
non_term_print_line ${container_name_list[$i]} ${container_state_list[$i]}
done
printf "\n"
# else if running from a terminal
else
if [ "$QUIET" = true ]; then
if [ $SYSTEM_START_TIME -lt $LAST_SOSETUP_LOG ]; then
exit 99
fi
print_or_parse="parse_status"
else
print_or_parse="print_line"
local focus_color="\e[1;34m"
printf "\n"
printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
fi
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
${print_or_parse} "Docker" "running"
else
${print_or_parse} "Docker" "exited"
fi
populate_container_lists
if [ "$QUIET" = false ]; then
printf "\n"
printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
fi
local num_containers=${#container_name_list[@]}
for i in $(seq 0 $(($num_containers - 1 ))); do
${print_or_parse} ${container_name_list[$i]} ${container_state_list[$i]}
done
if [ "$QUIET" = false ]; then
printf "\n"
fi
fi
}
# {% endraw %}
while getopts ':hq' OPTION; do
case "$OPTION" in
h)
display_help
exit 0
;;
q)
QUIET=true
;;
\?)
display_help
exit 0
;;
esac
done
main
exit $EXITCODE

374
salt/elasticsearch/defaults.yaml
View File

@@ -60,6 +60,380 @@ elasticsearch:
elasticsearch: elasticsearch:
deprecation: ERROR deprecation: ERROR
index_settings: index_settings:
so-logs-elastic_agent.apm_server:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.apm_server-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.apm_server@package"
- "so-logs-elastic_agent.apm_server@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.auditbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.auditbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.auditbeat@package"
- "so-logs-elastic_agent.auditbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.cloudbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.cloudbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.cloudbeat@package"
- "so-logs-elastic_agent.cloudbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.endpoint_security:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.endpoint_security-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.endpoint_security@package"
- "so-logs-elastic_agent.endpoint_security@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.filebeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.filebeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.filebeat@package"
- "so-logs-elastic_agent.filebeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.fleet_server:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.fleet_server-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.fleet_server@package"
- "so-logs-elastic_agent.fleet_server@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.heartbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.heartbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.heartbeat@package"
- "so-logs-elastic_agent.heartbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent@package"
- "so-logs-elastic_agent@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.metricbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.metricbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.metricbeat@package"
- "so-logs-elastic_agent.metricbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.osquerybeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.osquerybeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.osquerybeat@package"
- "so-logs-elastic_agent.osquerybeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.packetbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.packetbeat-*"
template:
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
composed_of:
- "so-logs-elastic_agent.packetbeat@package"
- "so-logs-elastic_agent.packetbeat@custom"
- ".fleet_globals-1"
- ".fleet_agent_id_verification-1"
priority: 500
_meta:
package:
name: elastic_agent
managed_by: fleet
managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-aws: so-aws:
warm: 7 warm: 7
close: 30 close: 30

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

510
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json Normal file
View File

@@ -0,0 +1,510 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

498
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json Normal file
View File

@@ -0,0 +1,498 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

12
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

505
salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json Normal file
View File

@@ -0,0 +1,505 @@
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.domain",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"log.level",
"message",
"elastic_agent.id",
"elastic_agent.process",
"elastic_agent.version"
]
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"labels": {
"type": "object"
}
}
},
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"log": {
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"},
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
}
}
},
"elastic_agent": {
"properties": {
"process": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
,
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"}
}
},
"snapshot": {
"type": "boolean"
}
}
},
"event": {
"properties": {
"dataset": {
"type": "constant_keyword"
}
}
},
"message": {
"type": "text"
}
}
}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

11
salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load
View File

@@ -1,9 +1,7 @@
#!/bin/bash #!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# https://securityonion.net/license; you may not use this file except in compliance with the # this file except in compliance with the Elastic License 2.0.
# Elastic License 2.0.
{%- set mainint = salt['pillar.get']('host:mainint') %} {%- set mainint = salt['pillar.get']('host:mainint') %}
@@ -44,6 +42,11 @@ cd ${ELASTICSEARCH_TEMPLATES}/component/ecs
echo "Loading ECS component templates..." echo "Loading ECS component templates..."
for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done
cd ${ELASTICSEARCH_TEMPLATES}/component/elastic-agent
echo "Loading Elastic Agent component templates..."
for i in *; do TEMPLATE=${i::-5}; echo "so-$TEMPLATE"; so-elasticsearch-query _component_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done
# Load SO-specific component templates # Load SO-specific component templates
cd ${ELASTICSEARCH_TEMPLATES}/component/so cd ${ELASTICSEARCH_TEMPLATES}/component/so

2
salt/kibana/bin/so-kibana-config-load
View File

@@ -5,7 +5,7 @@
# Elastic License 2.0. # Elastic License 2.0.
{%- set MANAGER = salt['pillar.get']('global:url_base', '') %} {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
{%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', 'ENDGAMEHOST') %} {%- set ENDGAMEHOST = salt['pillar.get']('global:endgamehost', 'ENDGAMEHOST') %}
. /usr/sbin/so-common . /usr/sbin/so-common
check_file() { check_file() {

2707
salt/soc/defaults.yaml
View File

File diff suppressed because it is too large Load Diff

75
salt/soc/files/bin/salt-relay.sh Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
PIPE_OWNER=${PIPE_OWNER:-socore}
PIPE_GROUP=${PIPE_GROUP:-socore}
SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt.pipe}
function log() {
echo "$(date) | $1"
}
function make_pipe() {
path=$1
log "Creating pipe: $path"
rm -f "${path}"
mkfifo "${path}"
chmod 0660 "${path}"
chown ${PIPE_OWNER}:${PIPE_GROUP} "${path}"
}
make_pipe "${SOC_PIPE}"
function list_minions() {
response=$(so-minion -o=list)
exit_code=$?
if [[ $exit_code -eq 0 ]]; then
log "Successful command execution"
$(echo "$response" > "${SOC_PIPE}")
else
log "Unsuccessful command execution: $exit_code"
$(echo "false" > "${SOC_PIPE}")
fi
}
function manage_minion() {
command=$1
op=$2
minion=$3
response=$(so-minion "-o=$op" "-m=$minion")
exit_code=$?
if [[ exit_code -eq 0 ]]; then
log "Successful command execution"
$(echo "true" > "${SOC_PIPE}")
else
log "Unsuccessful command execution: $response ($exit_code)"
$(echo "false" > "${SOC_PIPE}")
fi
}
while true; do
log "Listening for request"
request=$(cat ${SOC_PIPE})
if [[ "$request" != "" ]]; then
log "Received request: ${request}"
case "$request" in
list-minions)
list_minions
;;
manage-minion*)
manage_minion ${request}
;;
*)
log "Unsupported command: $request"
$(echo "false" > "${SOC_PIPE}")
esac
# allow remote reader to get a clean reader before we try to read again on next loop
sleep 1
fi
done

1
salt/soc/files/soc/alerts.actions.json
View File

@@ -1 +0,0 @@
This file is no longer used. Please use menu.actions.json instead.

4
salt/soc/files/soc/alerts.eventfields.json
View File

@@ -1,4 +0,0 @@
{
"default": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.uuid", "rule.category", "rule.rev"],
":ossec:": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name" ]
}

9
salt/soc/files/soc/alerts.queries.json
View File

@@ -1,9 +0,0 @@
[
{ "name": "Group By Name, Module", "query": "* | groupby rule.name event.module event.severity_label" },
{ "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label" },
{ "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name event.severity_label" },
{ "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name event.severity_label" },
{ "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name event.severity_label" },
{ "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name event.severity_label" },
{ "name": "Ungroup", "query": "*" }
]

3
salt/soc/files/soc/cases.eventfields.json
View File

@@ -1,3 +0,0 @@
{
"default": ["soc_timestamp", "so_case.title", "so_case.status", "so_case.severity", "so_case.assigneeId", "so_case.createTime"]
}

7
salt/soc/files/soc/cases.queries.json
View File

@@ -1,7 +0,0 @@
[
{ "name": "Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template" },
{ "name": "Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template" },
{ "name": "My Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" },
{ "name": "My Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" },
{ "name": "Templates", "query": "so_case.category:template" }
]

46
salt/soc/files/soc/dashboards.queries.json
View File

@@ -1,46 +0,0 @@
[
{ "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"},
{ "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"},
{ "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"},
{ "name": "Sysmon", "description": "Sysmon logs", "query": "event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line"},
{ "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"},
{ "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"},
{ "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"},
{ "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"},
{ "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"},
{ "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "MYSQL", "description": "MYSQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NOTICE", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"},
{ "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"},
{ "name": "RADIUS", "description": "RADIUS logs", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "RDP", "description": "RDP logs", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "RFB", "description": "RFB logs", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"},
{ "name": "SIP", "description": "SIP logs", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMB_Files", "description": "SMB files", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMB_Mapping", "description": "SMB mapping logs", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMTP", "description": "SMTP logs", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SNMP", "description": "SNMP logs", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Software", "description": "List of software seen on the network by Zeek", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"},
{ "name": "SSH", "description": "SSH connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SSL", "description": "SSL logs", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SYSLOG", "description": "SYSLOG logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "},
{ "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"},
{ "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}
]

712
salt/soc/files/soc/default.annotation.yaml
View File

@@ -1,712 +0,0 @@
### Elasticsearch Nodes ###
elasticsearch.esheap:
default: 4192
global: false
type: int
nodes:
- manager
- searchnode
elasticsearch.config.node.attr.box_type:
default: hot
global: false
type: bool
options:
- hot
- warm
nodes:
- manager
- searchnode
## Elasticsearch Global ##
elasticsearch.config.cluster.name:
default: securityonion
global: true
type: string
elasticsearch.config.cluster.routing.allocation.disk.threshold_enabled:
default: true
global: true
type: bool
options:
- true
- false
elasticsearch.config.cluster.routing.allocation.disk.watermark.low:
elasticsearch.config.cluster.routing.allocation.disk.watermark.high:
elasticsearch.config.cluster.routing.allocation.disk.watermark.flood_stage:
elasticsearch:"\
config:"\
cluster:"\
name: $ESCLUSTERNAME"\
routing:"\
allocation:"\
" disk:"\
" threshold_enabled: true"\
" watermark:"\
" low: 80%"\
" high: 85%"\
" flood_stage: 90%"\
" script:"\
" max_compilations_rate: 20000/1m"\
" indices:"\
" query:"\
" bool:"\
" max_clause_count: 3500"\
" index_settings:"\
" so-aws:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-azure:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-barracuda:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-beats:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-bluecoat:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cef:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-checkpoint:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cisco:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cyberark:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cylance:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-elasticsearch:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-endgame:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-f5:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-firewall:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-fortinet:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-gcp:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-google_workspace:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-ids:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-imperva:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-import:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-infoblox:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-juniper:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-kibana:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-logstash:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-microsoft:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-misp:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-netflow:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-netscout:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-o365:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-okta:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-osquery:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-proofpoint:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-radware:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-redis:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-snort:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-snyk:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-sonicwall:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-sophos:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-strelka:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-syslog:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-tomcat:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-zeek:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-zscaler:"\
" warm: 7"\
" close: 30"\
" delete: 365"
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\

1
salt/soc/files/soc/hunt.actions.json
View File

@@ -1 +0,0 @@
This file is no longer used. Please use menu.actions.json instead.

53
salt/soc/files/soc/hunt.eventfields.json
View File

@@ -1,53 +0,0 @@
{
"default": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "network.community_id", "event.dataset" ],
":kratos:audit": ["soc_timestamp", "http_request.headers.x-real-ip", "identity_id", "http_request.headers.user-agent" ],
"::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ],
"::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ],
"::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ],
"::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_reply", "log.id.uid" ],
"::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ],
"::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ],
"::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ],
"::ftp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ftp.user", "ftp.command", "ftp.argument", "ftp.reply_code", "file.size", "log.id.uid" ],
"::http": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "http.method", "http.virtual_host", "http.status_code", "http.status_message", "http.request.body.length", "http.response.body.length", "log.id.uid", "network.community_id" ],
"::intel": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "intel.indicator", "intel.indicator_type", "intel.seen_where", "log.id.uid" ],
"::irc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "irc.username", "irc.nickname", "irc.command.type", "irc.command.value", "irc.command.info", "log.id.uid" ],
"::kerberos": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "kerberos.client", "kerberos.service", "kerberos.request_type", "log.id.uid" ],
"::modbus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ],
"::mysql": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "mysql.command", "mysql.argument", "mysql.success", "mysql.response", "log.id.uid" ],
"::notice": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "notice.note", "notice.message", "log.id.fuid", "log.id.uid", "network.community_id" ],
"::ntlm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ntlm.name", "ntlm.success", "ntlm.server.dns.name", "ntlm.server.nb.name", "ntlm.server.tree.name", "log.id.uid" ],
"::pe": ["soc_timestamp", "file.is_64bit", "file.is_exe", "file.machine", "file.os", "file.subsystem", "log.id.fuid" ],
"::radius": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "username", "radius.framed_address", "radius.reply_message", "radius.result" ],
"::rdp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rdp.client_build", "client_name", "rdp.cookie", "rdp.encryption_level", "rdp.encryption_method", "rdp.keyboard_layout", "rdp.result", "rdp.security_protocol", "log.id.uid" ],
"::rfb": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rfb.authentication.method", "rfb.authentication.success", "rfb.share_flag", "rfb.desktop.name", "log.id.uid" ],
"::signatures" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "note", "signature_id", "event_message", "sub_message", "signature_count", "host.count", "log.id.uid" ],
"::sip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "sip.method", "sip.uri", "sip.request.from", "sip.request.to", "sip.response.from", "sip.response.to", "sip.call_id", "sip.subject", "sip.user_agent", "sip.status_code", "log.id.uid" ],
"::smb_files" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.fuid", "file.action", "file.path", "file.name", "file.size", "file.prev_name", "log.id.uid" ],
"::smb_mapping" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smb.path", "smb.service", "smb.share_type", "log.id.uid" ],
"::smtp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smtp.from", "smtp.recipient_to", "smtp.subject", "smtp.useragent", "log.id.uid", "network.community_id" ],
"::snmp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "snmp.community", "snmp.version", "log.id.uid" ],
"::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ],
"::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ],
"::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ],
"::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ],
":zeek:syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ],
"::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ],
"::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ],
"::x509": ["soc_timestamp", "x509.certificate.subject", "x509.certificate.key.type", "x509.certificate.key.length", "x509.certificate.issuer", "log.id.fuid" ],
"::firewall": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.direction", "interface.name", "rule.action", "rule.reason", "network.community_id" ],
":osquery:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ],
":strelka:file": ["soc_timestamp", "file.name", "file.size", "hash.md5", "file.source", "file.mime_type", "log.id.fuid" ],
":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ],
":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
":windows_eventlog:": ["soc_timestamp", "user.name" ],
":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ],
":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ],
"::rootcheck": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ],
"::ossec": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ],
"::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "log.full", "event.dataset", "event.module" ],
":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ],
":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ],
":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ]
}

67
salt/soc/files/soc/hunt.queries.json
View File

@@ -1,67 +0,0 @@
[
{ "name": "Default Query", "showSubtitle": true, "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"},
{ "name": "Log Type", "showSubtitle": true, "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"},
{ "name": "SOC Auth", "showSubtitle": true, "description": "Users authenticated to SOC grouped by IP address and identity", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id"},
{ "name": "Elastalerts", "showSubtitle": true, "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name alert_info.type"},
{ "name": "Alerts", "showSubtitle": true, "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"},
{ "name": "NIDS Alerts", "showSubtitle": true, "description": "Show all NIDS alerts grouped by alert", "query": "event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name"},
{ "name": "Wazuh/OSSEC Alerts", "showSubtitle": true, "description": "Show all Wazuh alerts at Level 5 or higher grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name"},
{ "name": "Wazuh/OSSEC Alerts", "showSubtitle": true, "description": "Show all Wazuh alerts at Level 4 or lower grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name"},
{ "name": "Wazuh/OSSEC Users and Commands", "showSubtitle": true, "description": "Show all Wazuh alerts grouped by username and command line", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line"},
{ "name": "Wazuh/OSSEC Processes", "showSubtitle": true, "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name"},
{ "name": "Sysmon Events", "showSubtitle": true, "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"},
{ "name": "Sysmon Usernames", "showSubtitle": true, "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"},
{ "name": "Strelka", "showSubtitle": true, "description": "Show all Strelka logs grouped by file type", "query": "event.module:strelka | groupby file.mime_type"},
{ "name": "Zeek Notice", "showSubtitle": true, "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"},
{ "name": "Connections", "showSubtitle": true, "description": "Connections grouped by IP and Port", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"},
{ "name": "Connections", "showSubtitle": true, "description": "Connections grouped by Service", "query": "event.dataset:conn | groupby network.protocol destination.port"},
{ "name": "Connections", "showSubtitle": true, "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"},
{ "name": "Connections", "showSubtitle": true, "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"},
{ "name": "DCE_RPC", "showSubtitle": true, "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"},
{ "name": "DHCP", "showSubtitle": true, "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"},
{ "name": "DHCP", "showSubtitle": true, "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"},
{ "name": "DNP3", "showSubtitle": true, "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by type", "query": "event.dataset:dns | groupby dns.query.type_name destination.port"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"},
{ "name": "DPD", "showSubtitle": true, "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"},
{ "name": "Files", "showSubtitle": true, "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"},
{ "name": "Files", "showSubtitle": true, "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"},
{ "name": "FTP", "showSubtitle": true, "description": "FTP grouped by command and argument", "query": "event.dataset:ftp | groupby ftp.command ftp.argument"},
{ "name": "FTP", "showSubtitle": true, "description": "FTP grouped by username and argument", "query": "event.dataset:ftp | groupby ftp.user ftp.argument"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by destination port", "query": "event.dataset:http | groupby destination.port"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"},
{ "name": "Intel", "showSubtitle": true, "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"},
{ "name": "IRC", "showSubtitle": true, "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"},
{ "name": "Kerberos", "showSubtitle": true, "description": "Kerberos grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"},
{ "name": "MODBUS", "showSubtitle": true, "description": "MODBUS grouped by function", "query": "event.dataset:modbus | groupby modbus.function"},
{ "name": "MYSQL", "showSubtitle": true, "description": "MYSQL grouped by command", "query": "event.dataset:mysql | groupby mysql.command"},
{ "name": "NOTICE", "showSubtitle": true, "description": "Zeek notice logs grouped by note and message", "query": "event.dataset:notice | groupby notice.note notice.message"},
{ "name": "NTLM", "showSubtitle": true, "description": "NTLM grouped by computer name", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name"},
{ "name": "Osquery Live Queries", "showSubtitle": true, "description": "Osquery Live Query results grouped by computer name", "query": "event.dataset:live_query | groupby host.hostname"},
{ "name": "PE", "showSubtitle": true, "description": "PE files list", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"},
{ "name": "RADIUS", "showSubtitle": true, "description": "RADIUS grouped by username", "query": "event.dataset:radius | groupby user.name.keyword"},
{ "name": "RDP", "showSubtitle": true, "description": "RDP grouped by client name", "query": "event.dataset:rdp | groupby client.name"},
{ "name": "RFB", "showSubtitle": true, "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword"},
{ "name": "Signatures", "showSubtitle": true, "description": "Zeek signatures grouped by signature id", "query": "event.dataset:signatures | groupby signature_id"},
{ "name": "SIP", "showSubtitle": true, "description": "SIP grouped by user agent", "query": "event.dataset:sip | groupby client.user_agent"},
{ "name": "SMB_Files", "showSubtitle": true, "description": "SMB files grouped by action", "query": "event.dataset:smb_files | groupby file.action"},
{ "name": "SMB_Mapping", "showSubtitle": true, "description": "SMB mapping grouped by path", "query": "event.dataset:smb_mapping | groupby smb.path"},
{ "name": "SMTP", "showSubtitle": true, "description": "SMTP grouped by subject", "query": "event.dataset:smtp | groupby smtp.subject"},
{ "name": "SNMP", "showSubtitle": true, "description": "SNMP grouped by version and string", "query": "event.dataset:snmp | groupby snmp.community snmp.version"},
{ "name": "Software", "showSubtitle": true, "description": "List of software seen on the network", "query": "event.dataset:software | groupby software.type software.name"},
{ "name": "SSH", "showSubtitle": true, "description": "SSH grouped by version and client", "query": "event.dataset:ssh | groupby ssh.version ssh.client"},
{ "name": "SSL", "showSubtitle": true, "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"},
{ "name": "SYSLOG", "showSubtitle": true, "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity_label syslog.facility_label"},
{ "name": "Tunnel", "showSubtitle": true, "description": "Tunnels grouped by type and action", "query": "event.dataset:tunnel | groupby tunnel.type event.action"},
{ "name": "Weird", "showSubtitle": true, "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"},
{ "name": "x509", "showSubtitle": true, "description": "x.509 grouped by key length and name", "query": "event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns"},
{ "name": "x509", "showSubtitle": true, "description": "x.509 grouped by name and issuer", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"},
{ "name": "x509", "showSubtitle": true, "description": "x.509 grouped by name and subject", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.subject"},
{ "name": "Firewall", "showSubtitle": true, "description": "Firewall events grouped by action", "query": "event.dataset:firewall | groupby rule.action"}
]

41
salt/soc/files/soc/menu.actions.json
View File

@@ -1,41 +0,0 @@
{%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', False) %}
[
{ "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "",
"links": [
"/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset"
]},
{ "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
"links": [
"/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
"/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset",
"/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
"/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
"/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset",
"/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset",
"/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset"
]},
{ "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "",
"links": [
"/joblookup?esid={:soc_id}&time={:@timestamp}",
"/joblookup?ncid={:network.community_id}&time={:@timestamp}"
],
"categories": ["hunt", "alerts"]},
{ "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank",
"links": [
"/cyberchef/#input={value|base64}"
]},
{ "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank",
"links": [
"https://www.google.com/search?q={value}"
]},
{ "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank",
"links": [
"https://www.virustotal.com/gui/search/{value}"
]}
{%- if ENDGAMEHOST %}
,{ "name": "Endgame", "description": "Endgame Endpoint Investigation and Response", "icon": "fa-external-link-alt", "target": "_blank",
"links": [
"https://{{ ENDGAMEHOST }}/endpoints/{:agent.id}"
]}
{% endif %}
]

20
salt/soc/files/soc/presets.artifacttype.json
View File

@@ -1,20 +0,0 @@
{
"labels": [
"autonomous-system",
"domain",
"file",
"filename",
"fqdn",
"hash",
"ip",
"mail",
"mail_subject",
"other",
"regexp",
"registry",
"uri_path",
"url",
"user-agent"
],
"customEnabled": true
}

7
salt/soc/files/soc/presets.category.json
View File

@@ -1,7 +0,0 @@
{
"labels": [
"general",
"template"
],
"customEnabled": true
}

9
salt/soc/files/soc/presets.pap.json
View File

@@ -1,9 +0,0 @@
{
"labels": [
"white",
"green",
"amber",
"red"
],
"customEnabled": false
}

9
salt/soc/files/soc/presets.severity.json
View File

@@ -1,9 +0,0 @@
{
"labels": [
"low",
"medium",
"high",
"critical"
],
"customEnabled": false
}

8
salt/soc/files/soc/presets.status.json
View File

@@ -1,8 +0,0 @@
{
"labels": [
"new",
"in progress",
"closed"
],
"customEnabled": false
}

8
salt/soc/files/soc/presets.tag.json
View File

@@ -1,8 +0,0 @@
{
"labels": [
"false-positive",
"confirmed",
"pending"
],
"customEnabled": true
}

9
salt/soc/files/soc/presets.tlp.json
View File

@@ -1,9 +0,0 @@
{
"labels": [
"white",
"green",
"amber",
"red"
],
"customEnabled": false
}

8
salt/soc/files/soc/tools.json
View File

@@ -1,8 +0,0 @@
[
{ "name": "toolKibana", "description": "toolKibanaHelp", "icon": "fa-external-link-alt", "target": "so-kibana", "link": "/kibana/" },
{ "name": "toolGrafana", "description": "toolGrafanaHelp", "icon": "fa-external-link-alt", "target": "so-grafana", "link": "/grafana/d/so_overview" },
{ "name": "toolCyberchef", "description": "toolCyberchefHelp", "icon": "fa-external-link-alt", "target": "so-cyberchef", "link": "/cyberchef/" },
{ "name": "toolPlaybook", "description": "toolPlaybookHelp", "icon": "fa-external-link-alt", "target": "so-playbook", "link": "/playbook/projects/detection-playbooks/issues/" },
{ "name": "toolFleet", "description": "toolFleetHelp", "icon": "fa-external-link-alt", "target": "so-fleet", "link": "/fleet/" },
{ "name": "toolNavigator", "description": "toolNavigatorHelp", "icon": "fa-external-link-alt", "target": "so-navigator", "link": "/navigator/" }
]

19
salt/soc/init.sls
View File

@@ -30,16 +30,6 @@ soclogdir:
- makedirs: True - makedirs: True
socactions:
file.managed:
- name: /opt/so/conf/soc/menu.actions.json
- source: salt://soc/files/soc/menu.actions.json
- user: 939
- group: 939
- mode: 600
- template: jinja
socconfig: socconfig:
file.managed: file.managed:
- name: /opt/so/conf/soc/soc.json - name: /opt/so/conf/soc/soc.json
@@ -92,6 +82,13 @@ socusersroles:
- require: - require:
- sls: manager.sync_es_users - sls: manager.sync_es_users
salt-relay:
cmd.run:
- env:
- SOC_PIPE: /opt/sensoroni/salt.pipe
- name: '/opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &'
- unless: ps -ef | grep salt-relay | grep -v grep
so-soc: so-soc:
docker_container.running: docker_container.running:
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
@@ -106,6 +103,8 @@ so-soc:
- /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
- /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
- /opt/so/conf/soc/salt.pipe:/opt/sensoroni/salt.pipe:rw
- /opt/so/saltstack:/opt/so/saltstack:rw
{%- if salt['pillar.get']('nodestab', {}) %} {%- if salt['pillar.get']('nodestab', {}) %}
- extra_hosts: - extra_hosts:
{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}

36
salt/soc/merged.map.jinja
View File

@@ -5,9 +5,9 @@
{# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #} {# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #}
{% if SOCMERGED.server.modules.cases != 'soc' %} {% if SOCMERGED.server.modules.cases != 'soc' %}
{% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %} {% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %}
{% do SOCMERGED.client.update({'casesEnabled': false}) %} {% do SOCMERGED.server.client.update({'casesEnabled': false}) %}
{% do SOCMERGED.client.hunt.update({'escalateRelatedEventsEnabled': false}) %} {% do SOCMERGED.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %}
{% do SOCMERGED.client.alerts.update({'escalateRelatedEventsEnabled': false}) %} {% do SOCMERGED.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %}
{% if SOCMERGED.server.modules.cases == 'elasticcases' %} {% if SOCMERGED.server.modules.cases == 'elasticcases' %}
{% do SOCMERGED.server.modules.update({ {% do SOCMERGED.server.modules.update({
'elasticcases': { 'elasticcases': {
@@ -23,20 +23,40 @@
{# change some options if this is airgap #} {# change some options if this is airgap #}
{% if GLOBALS.airgap %} {% if GLOBALS.airgap %}
{% do SOCMERGED.client.update({ {% do SOCMERGED.server.client.update({
'docsUrl': '/docs/', 'docsUrl': '/docs/',
'cheatsheetUrl': '/docs/cheatsheet.pdf', 'cheatsheetUrl': '/docs/cheatsheet.pdf',
'releaseNotesUrl': '/docs/#release-notes' 'releaseNotesUrl': '/docs/#release-notes'
}) })
%} %}
{% endif %} {% endif %}
{% if pillar.manager.playbook == 0 %} {% if pillar.manager.playbook == 0 %}
{% do SOCMERGED.client.inactiveTools.append('toolPlaybook') %} {% do SOCMERGED.server.client.inactiveTools.append('toolPlaybook') %}
{% endif %} {% endif %}
{% do SOCMERGED.client.inactiveTools.append('toolFleet') %} {% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %}
{% if pillar.manager.grafana == 0 %} {% if pillar.manager.grafana == 0 %}
{% do SOCMERGED.client.inactiveTools.append('toolGrafana') %} {% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %}
{% endif %} {% endif %}
{% set standard_actions = SOCMERGED.pop('actions') %}
{% if pillar.global.endgamehost is defined %}
{% set endgame_dict = {
"name": "Endgame",
"description": "Endgame Endpoint Investigation and Response",
"icon": "fa-external-link-alt",
"target": "_blank",
"links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"]
}
%}
{% do standard_actions.append(endgame_dict) %}
{% endif %}
{% do SOCMERGED.server.client.hunt.update({'actions': standard_actions}) %}
{% do SOCMERGED.server.client.dashboards.update({'actions': standard_actions}) %}
{% do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %}
{% do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %}
{% do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %}

11
setup/so-functions
View File

@@ -1455,15 +1455,7 @@ idstools_pillar() {
soc_pillar() { soc_pillar() {
touch $adv_soc_pillar_file touch $adv_soc_pillar_file
printf '%s\n'\ touch $soc_pillar_file
"soc:"\
" es_index_patterns: '*:so-*,*:endgame-*'"\
"" > "$soc_pillar_file"
if [[ -n $ENDGAMEHOST ]]; then
printf '%s\n'\
" endgamehost: '$ENDGAMEHOST'"\
"" >> "$soc_pillar_file"
fi
} }
manager_pillar() { manager_pillar() {
@@ -1530,6 +1522,7 @@ create_global() {
echo " pipeline: 'redis'" >> $global_pillar_file echo " pipeline: 'redis'" >> $global_pillar_file
echo " repo_host: '$MAINIP'" >> $global_pillar_file echo " repo_host: '$MAINIP'" >> $global_pillar_file
echo " registry_host: '$MAINIP'" >> $global_pillar_file echo " registry_host: '$MAINIP'" >> $global_pillar_file
echo " endgamehost: '$ENDGAMEHOST'" >> $global_pillar_file
} }
create_sensoroni_pillar() { create_sensoroni_pillar() {