From cf95af66c66c1623190eff042965aa9f340a8ea8 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Mon, 21 Oct 2024 15:23:05 -0400 Subject: [PATCH] Revert "Add support for cybereason integration" --- salt/elasticfleet/defaults.yaml | 1 - salt/elasticsearch/defaults.yaml | 264 ------------------ salt/elasticsearch/soc_elasticsearch.yaml | 6 - .../logs-cybereason.logon_session@custom.json | 36 --- ...gs-cybereason.malop_connection@custom.json | 36 --- .../logs-cybereason.malop_process@custom.json | 36 --- .../logs-cybereason.malware@custom.json | 36 --- .../logs-cybereason.poll_malop@custom.json | 36 --- ...-cybereason.suspicions_process@custom.json | 36 --- 9 files changed, 487 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 6e4ce206b..e586100da 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -53,7 +53,6 @@ elasticfleet: - citrix_waf - cloudflare - crowdstrike - - cybereason - darktrace - elastic_agent - elasticsearch diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 0a6463f06..f0178728e 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3562,270 +3562,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-cybereason_x_logon_session: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.logon_session-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.logon_session@package" - - "logs-cybereason.logon_session@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.logon_session@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_malop_connection: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.malop_connection-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.malop_connection@package" - - "logs-cybereason.malop_connection@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.malop_connection@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_malop_process: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.malop_process-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.malop_process@package" - - "logs-cybereason.malop_process@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.malop_process@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_malware: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.malware-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.malware@package" - - "logs-cybereason.malware@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.malware@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_poll_malop: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.poll_malop-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.poll_malop@package" - - "logs-cybereason.poll_malop@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.poll_malop@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_suspicions_process: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.suspicions_process-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.suspicions_process@package" - - "logs-cybereason.suspicions_process@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.suspicions_process@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-darktrace_x_ai_analyst_alert: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 284e4acc2..266372708 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -398,12 +398,6 @@ elasticsearch: so-logs-cloudflare_x_logpull: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings so-logs-crowdstrike_x_fdr: *indexSettings - so-logs-cybereason_x_logon_session: *indexSettings - so-logs-cybereason_x_malop_connection: *indexSettings - so-logs-cybereason_x_malop_process: *indexSettings - so-logs-cybereason_x_malware: *indexSettings - so-logs-cybereason_x_poll_malop: *indexSettings - so-logs-cybereason_x_suspicions_process: *indexSettings so-logs-darktrace_x_ai_analyst_alert: *indexSettings so-logs-darktrace_x_model_breach_alert: *indexSettings so-logs-darktrace_x_system_status_alert: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -}