From 32a26559dd14956675125f2f3bc507a7df01b408 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 24 Feb 2026 14:00:06 -0600 Subject: [PATCH 1/4] add dns.query.type and dns.query.type_name field mappings --- .../templates/component/ecs/dns.json | 182 ++++++++++-------- 1 file changed, 97 insertions(+), 85 deletions(-) diff --git a/salt/elasticsearch/templates/component/ecs/dns.json b/salt/elasticsearch/templates/component/ecs/dns.json index 321a061f5..9cafac072 100644 --- a/salt/elasticsearch/templates/component/ecs/dns.json +++ b/salt/elasticsearch/templates/component/ecs/dns.json @@ -1,91 +1,103 @@ { - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "query": { + "properties" :{ + "type":{ + "ignore_above": 1024, + "type": "keyword" + }, + "type_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } } - }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } } - } } - } } \ No newline at end of file From 742649a33797ceb85a111402fb48cd3839d2fcbb Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 24 Feb 2026 14:21:28 -0600 Subject: [PATCH 2/4] rename kratos file to file.path --- salt/elasticsearch/defaults.yaml | 1 + salt/elasticsearch/files/ingest/kratos | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f2245c020..f2fa4d05b 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -858,6 +858,7 @@ elasticsearch: composed_of: - agent-mappings - dtc-agent-mappings + - file-mappings - host-mappings - dtc-host-mappings - http-mappings diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos index d59f45587..b3410d9fd 100644 --- a/salt/elasticsearch/files/ingest/kratos +++ b/salt/elasticsearch/files/ingest/kratos @@ -81,6 +81,14 @@ "ignore_missing": true } }, + { + "rename": { + "field": "file", + "target_field": "file.path", + "ignore_failure": true, + "ignore_missing": true + } + }, { "pipeline": { "name": "common" From f4be73fdde71e05ae7993af8e12af6345a08c35d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 24 Feb 2026 14:23:08 -0600 Subject: [PATCH 3/4] re-add event-mappings to kratos index for event.ingested mapping --- salt/elasticsearch/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f2fa4d05b..c9f771a91 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -858,6 +858,7 @@ elasticsearch: composed_of: - agent-mappings - dtc-agent-mappings + - event-mappings - file-mappings - host-mappings - dtc-host-mappings From 4d5ace2a890aea34d04ec18118c87607e813ebc7 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 24 Feb 2026 14:32:01 -0600 Subject: [PATCH 4/4] add file.bytes.missing field mapping --- salt/elasticsearch/templates/component/ecs/file.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/elasticsearch/templates/component/ecs/file.json b/salt/elasticsearch/templates/component/ecs/file.json index 3da5ee86a..dfd96c2b5 100644 --- a/salt/elasticsearch/templates/component/ecs/file.json +++ b/salt/elasticsearch/templates/component/ecs/file.json @@ -15,6 +15,13 @@ "ignore_above": 1024, "type": "keyword" }, + "bytes": { + "properties": { + "missing": { + "type": "long" + } + } + }, "code_signature": { "properties": { "digest_algorithm": {