From 2ac0aba9169249589d086f158c6d82052a8aab7d Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 13 Jun 2023 21:32:02 +0000 Subject: [PATCH] Add osquery files --- ...logs-osquery_manager.action.responses.json | 91 +++++++++++++++ .../logs-osquery_manager.actions.json | 110 ++++++++++++++++++ 2 files changed, 201 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json new file mode 100644 index 000000000..afe990c92 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.action.responses.json @@ -0,0 +1,91 @@ +{"template": { + "mappings": { + "properties": { + "completed_at": { + "type": "date" + }, + "action_response": { + "properties": { + "osquery": { + "properties": { + "count": { + "type": "long" + } + } + } + } + }, + "@timestamp": { + "type": "date" + }, + "agent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "started_at": { + "type": "date" + }, + "action_input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "action_data": { + "properties": { + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json new file mode 100644 index 000000000..44296af13 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.actions.json @@ -0,0 +1,110 @@ +{"template": { + "mappings": { + "properties": { + "pack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "object", + "enabled": false + }, + "data": { + "properties": { + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pack_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "pack_prebuilt": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "queries": { + "properties": { + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_prebuilt": { + "type": "boolean" + }, + "query": { + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "ecs_mapping": { + "type": "object", + "enabled": false + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "agents": { + "ignore_above": 1024, + "type": "keyword" + }, + "@timestamp": { + "type": "date" + }, + "action_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiration": { + "type": "date" + }, + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + }, + "agent_ids": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +}