diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls index 491dcfbd8..7f817ed39 100644 --- a/pillar/logstash/eval.sls +++ b/pillar/logstash/eval.sls @@ -3,52 +3,19 @@ logstash: eval: config: - so/0800_input_eval.conf - - so/1000_preprocess_log_elapsed.conf - - so/1001_preprocess_syslogng.conf - so/1002_preprocess_json.conf - - so/1004_preprocess_syslog_types.conf - - so/1026_preprocess_dhcp.conf - - so/1029_preprocess_esxi.conf - - so/1030_preprocess_greensql.conf - - so/1031_preprocess_iis.conf - - so/1032_preprocess_mcafee.conf - so/1033_preprocess_snort.conf - - so/1034_preprocess_syslog.conf - - so/2000_network_flow.conf - - so/6002_syslog.conf - - so/6101_switch_brocade.conf - - so/6200_firewall_fortinet.conf - - so/6201_firewall_pfsense.conf - - so/6300_windows.conf - - so/6301_dns_windows.conf - - so/6400_suricata.conf - so/6500_ossec.conf - so/6501_ossec_sysmon.conf - so/6502_ossec_autoruns.conf - so/6600_winlogbeat_sysmon.conf - so/6700_winlogbeat.conf - so/7100_osquery_wel.conf - - so/7200_strelka.conf - - so/8001_postprocess_common_ip_augmentation.conf - - so/8007_postprocess_http.conf - - so/8200_postprocess_tagging.conf - - so/8998_postprocess_log_elapsed.conf - so/8999_postprocess_rename_type.conf - so/9000_output_bro.conf.jinja - - so/9001_output_switch.conf.jinja - so/9002_output_import.conf.jinja - - so/9004_output_flow.conf.jinja - - so/9026_output_dhcp.conf.jinja - - so/9029_output_esxi.conf.jinja - - so/9030_output_greensql.conf.jinja - - so/9031_output_iis.conf.jinja - - so/9032_output_mcafee.conf.jinja - so/9033_output_snort.conf.jinja - - so/9034_output_syslog.conf.jinja - so/9100_output_osquery.conf.jinja - - so/9200_output_firewall.conf.jinja - - so/9300_output_windows.conf.jinja - - so/9301_output_dns_windows.conf.jinja - so/9400_output_suricata.conf.jinja - so/9500_output_beats.conf.jinja - so/9600_output_ossec.conf.jinja diff --git a/salt/elasticsearch/files/ingest/bro_conn b/salt/elasticsearch/files/ingest/bro_conn index b12be156e..2fe68ec42 100644 --- a/salt/elasticsearch/files/ingest/bro_conn +++ b/salt/elasticsearch/files/ingest/bro_conn @@ -4,14 +4,14 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, { "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } }, { "rename": { "field": "message2.orig_bytes", "target_field": "original_bytes", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dce_rpc b/salt/elasticsearch/files/ingest/bro_dce_rpc index 105905245..902785b92 100644 --- a/salt/elasticsearch/files/ingest/bro_dce_rpc +++ b/salt/elasticsearch/files/ingest/bro_dce_rpc @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.rtt", "target_field": "rtt", "ignore_missing": true } }, { "rename": { "field": "message2.named_pipe", "target_field": "named_pipe", "ignore_missing": true } }, { "rename": { "field": "message2.endpoint", "target_field": "endpoint", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dhcp b/salt/elasticsearch/files/ingest/bro_dhcp index 010d0f85b..88d4f94c2 100644 --- a/salt/elasticsearch/files/ingest/bro_dhcp +++ b/salt/elasticsearch/files/ingest/bro_dhcp @@ -8,8 +8,8 @@ { "rename": { "field": "message2.lease_time", "target_field": "lease_time", "ignore_missing": true } }, { "rename": { "field": "message2.trans_id", "target_field": "transaction_id", "ignore_missing": true } }, { "rename": { "field": "message2.assigned_addr", "target_field": "assigned_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.client_addr", "target_field": "source_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.server_addr", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.client_addr", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.server_addr", "target_field": "destination.ip", "ignore_missing": true } }, { "rename": { "field": "message2.requested_addr", "target_field": "requested_ip", "ignore_missing": true } }, { "rename": { "field": "message2.domain", "target_field": "domain_name", "ignore_missing": true } }, { "rename": { "field": "message2.host_name", "target_field": "hostname", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dnp3 b/salt/elasticsearch/files/ingest/bro_dnp3 index bebb85ecb..3797e14fe 100644 --- a/salt/elasticsearch/files/ingest/bro_dnp3 +++ b/salt/elasticsearch/files/ingest/bro_dnp3 @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.fc_request", "target_field": "fc_request", "ignore_missing": true } }, { "rename": { "field": "message2.fc_reply", "target_field": "fc_reply", "ignore_missing": true } }, { "rename": { "field": "message2.iin", "target_field": "iin", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dns b/salt/elasticsearch/files/ingest/bro_dns index be8d59294..3857e8e07 100644 --- a/salt/elasticsearch/files/ingest/bro_dns +++ b/salt/elasticsearch/files/ingest/bro_dns @@ -4,14 +4,14 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.trans_id", "target_field": "transaction_id", "ignore_missing": true } }, { "rename": { "field": "message2.rtt", "target_field": "rtt", "ignore_missing": true } }, { "rename": { "field": "message2.query", "target_field": "query", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_dpd b/salt/elasticsearch/files/ingest/bro_dpd index caf66d39e..963d6cd1d 100644 --- a/salt/elasticsearch/files/ingest/bro_dpd +++ b/salt/elasticsearch/files/ingest/bro_dpd @@ -4,14 +4,14 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.analyzer", "target_field": "analyzer", "ignore_missing": true } }, { "rename": { "field": "message2.failure_reason", "target_field": "failure_reason", "ignore_missing": true } }, { "pipeline": { "name": "bro_common" } } diff --git a/salt/elasticsearch/files/ingest/bro_files b/salt/elasticsearch/files/ingest/bro_files index 4337b75f2..5d138557d 100644 --- a/salt/elasticsearch/files/ingest/bro_files +++ b/salt/elasticsearch/files/ingest/bro_files @@ -4,11 +4,11 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, { "rename": { "field": "message2.tx_hosts", "target_field": "file_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, { "rename": { "field": "message2.conn_uids", "target_field": "uid", "ignore_missing": true } }, { "remove": { "field": "source", "ignore_missing": true } }, - { "rename": { "field": "message2.source", "target_field": "source", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "file_source", "ignore_missing": true } }, { "rename": { "field": "message2.depth", "target_field": "depth", "ignore_missing": true } }, { "rename": { "field": "message2.analyzers", "target_field": "analyzer", "ignore_missing": true } }, { "rename": { "field": "message2.mime_type", "target_field": "mimetype", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_ftp b/salt/elasticsearch/files/ingest/bro_ftp index 34775072d..e602f29fb 100644 --- a/salt/elasticsearch/files/ingest/bro_ftp +++ b/salt/elasticsearch/files/ingest/bro_ftp @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.user", "target_field": "username", "ignore_missing": true } }, { "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } }, { "rename": { "field": "message2.command", "target_field": "ftp_command", "ignore_missing": true } }, @@ -22,11 +22,11 @@ { "dot_expander": { "field": "data_channel.passive", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.data_channel.passive","target_field": "data_channel_passive", "ignore_missing": true } }, { "dot_expander": { "field": "data_channel.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.orig_h","target_field": "data_channel_source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.data_channel.orig_h","target_field": "data_channel_source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "data_channel.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.resp_h","target_field": "data_channel_destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.data_channel.resp_h","target_field": "data_channel_destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "data_channel.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.resp_p","target_field": "data_channel_destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.data_channel.resp_p","target_field": "data_channel_destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, { "pipeline": { "name": "bro_common" } } ] diff --git a/salt/elasticsearch/files/ingest/bro_http b/salt/elasticsearch/files/ingest/bro_http index 842a12bc9..3756ca323 100644 --- a/salt/elasticsearch/files/ingest/bro_http +++ b/salt/elasticsearch/files/ingest/bro_http @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, { "rename": { "field": "message2.method", "target_field": "method", "ignore_missing": true } }, { "rename": { "field": "message2.host", "target_field": "virtual_host", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_intel b/salt/elasticsearch/files/ingest/bro_intel index 20bf90c5a..9718bd45e 100644 --- a/salt/elasticsearch/files/ingest/bro_intel +++ b/salt/elasticsearch/files/ingest/bro_intel @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "dot_expander": { "field": "seen.indicator", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.seen.indicator", "target_field": "indicator", "ignore_missing": true } }, { "dot_expander": { "field": "seen.indicator_type", "path": "message2", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_irc b/salt/elasticsearch/files/ingest/bro_irc index c2a5ba22d..079c410ee 100644 --- a/salt/elasticsearch/files/ingest/bro_irc +++ b/salt/elasticsearch/files/ingest/bro_irc @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.nick", "target_field": "nick", "ignore_missing": true } }, { "rename": { "field": "message2.user", "target_field": "irc_username", "ignore_missing": true } }, { "rename": { "field": "message2.command", "target_field": "irc_command", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_kerberos b/salt/elasticsearch/files/ingest/bro_kerberos index b338b5c96..83c93476d 100644 --- a/salt/elasticsearch/files/ingest/bro_kerberos +++ b/salt/elasticsearch/files/ingest/bro_kerberos @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.request_type", "target_field": "request_type", "ignore_missing": true } }, { "rename": { "field": "message2.client", "target_field": "client", "ignore_missing": true } }, { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_modbus b/salt/elasticsearch/files/ingest/bro_modbus index 10e7c271a..3c3b17c45 100644 --- a/salt/elasticsearch/files/ingest/bro_modbus +++ b/salt/elasticsearch/files/ingest/bro_modbus @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.func", "target_field": "function", "ignore_missing": true } }, { "rename": { "field": "message2.exception", "target_field": "exception", "ignore_missing": true } }, { "pipeline": { "name": "bro_common" } } diff --git a/salt/elasticsearch/files/ingest/bro_mysql b/salt/elasticsearch/files/ingest/bro_mysql index a01d57da2..676213b06 100644 --- a/salt/elasticsearch/files/ingest/bro_mysql +++ b/salt/elasticsearch/files/ingest/bro_mysql @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.cmd", "target_field": "mysql_command", "ignore_missing": true } }, { "rename": { "field": "message2.arg", "target_field": "mysql_argument", "ignore_missing": true } }, { "rename": { "field": "message2.success", "target_field": "mysql_success", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_notice b/salt/elasticsearch/files/ingest/bro_notice index 6e43448d5..4ba1b7d88 100644 --- a/salt/elasticsearch/files/ingest/bro_notice +++ b/salt/elasticsearch/files/ingest/bro_notice @@ -6,17 +6,17 @@ { "remove": { "field": "message2.src", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, { "rename": { "field": "message2.mime", "target_field": "file_mime_type", "ignore_missing": true } }, { "rename": { "field": "message2.desc", "target_field": "file_description", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, { "rename": { "field": "message2.msg", "target_field": "msg", "ignore_missing": true } }, { "rename": { "field": "message2.sub", "target_field": "sub_msg", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_ntlm b/salt/elasticsearch/files/ingest/bro_ntlm index a3d130343..0921a5dbc 100644 --- a/salt/elasticsearch/files/ingest/bro_ntlm +++ b/salt/elasticsearch/files/ingest/bro_ntlm @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.hostname", "target_field": "hostname", "ignore_missing": true } }, { "rename": { "field": "message2.domainname", "target_field": "domain_name", "ignore_missing": true } }, { "rename": { "field": "message2.success", "target_field": "ntlm_success", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_radius b/salt/elasticsearch/files/ingest/bro_radius index c333711d6..35fede6b7 100644 --- a/salt/elasticsearch/files/ingest/bro_radius +++ b/salt/elasticsearch/files/ingest/bro_radius @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.username", "target_field": "username", "ignore_missing": true } }, { "rename": { "field": "message2.mac", "target_field": "mac", "ignore_missing": true } }, { "rename": { "field": "message2.framed_addr", "target_field": "framed_addr", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_rdp b/salt/elasticsearch/files/ingest/bro_rdp index b3cf206a5..49849a8c6 100644 --- a/salt/elasticsearch/files/ingest/bro_rdp +++ b/salt/elasticsearch/files/ingest/bro_rdp @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.cookie", "target_field": "cookie", "ignore_missing": true } }, { "rename": { "field": "message2.result", "target_field": "result", "ignore_missing": true } }, { "rename": { "field": "message2.security_protocol","target_field": "security_protocol", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_rfb b/salt/elasticsearch/files/ingest/bro_rfb index 8f3cc86e7..0e6cb4eb2 100644 --- a/salt/elasticsearch/files/ingest/bro_rfb +++ b/salt/elasticsearch/files/ingest/bro_rfb @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.client_major_version", "target_field": "client_major_version", "ignore_missing": true } }, { "rename": { "field": "message2.client_minor_version", "target_field": "client_minor_version", "ignore_missing": true } }, { "rename": { "field": "message2.server_major_version", "target_field": "server_major_version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_signatures b/salt/elasticsearch/files/ingest/bro_signatures index 5dd3d9924..9187c94a2 100644 --- a/salt/elasticsearch/files/ingest/bro_signatures +++ b/salt/elasticsearch/files/ingest/bro_signatures @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, { "rename": { "field": "message2.sig_id", "target_field": "signature_id", "ignore_missing": true } }, { "rename": { "field": "message2.event_msg", "target_field": "event_message", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_sip b/salt/elasticsearch/files/ingest/bro_sip index 3a8b00d62..0d55ca5a0 100644 --- a/salt/elasticsearch/files/ingest/bro_sip +++ b/salt/elasticsearch/files/ingest/bro_sip @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, { "rename": { "field": "message2.method", "target_field": "method", "ignore_missing": true } }, { "rename": { "field": "message2.uri", "target_field": "uri", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_smb_files b/salt/elasticsearch/files/ingest/bro_smb_files index 83ba8bd67..2e552234a 100644 --- a/salt/elasticsearch/files/ingest/bro_smb_files +++ b/salt/elasticsearch/files/ingest/bro_smb_files @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, { "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } }, { "remove": { "field": "path", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_smb_mapping b/salt/elasticsearch/files/ingest/bro_smb_mapping index e1b6b5dfb..220a10e2b 100644 --- a/salt/elasticsearch/files/ingest/bro_smb_mapping +++ b/salt/elasticsearch/files/ingest/bro_smb_mapping @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "remove": { "field": "path", "ignore_failure": true } }, { "rename": { "field": "message2.path", "target_field": "path", "ignore_missing": true } }, { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_smtp b/salt/elasticsearch/files/ingest/bro_smtp index 4bd85a293..d5e9a6d6f 100644 --- a/salt/elasticsearch/files/ingest/bro_smtp +++ b/salt/elasticsearch/files/ingest/bro_smtp @@ -5,13 +5,13 @@ { "remove": { "field": "path", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, { "rename": { "field": "message2.helo", "target_field": "helo", "ignore_missing": true } }, { "rename": { "field": "message2.mailfrom", "target_field": "mail_from", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_snmp b/salt/elasticsearch/files/ingest/bro_snmp index bec88c1af..31eb9514d 100644 --- a/salt/elasticsearch/files/ingest/bro_snmp +++ b/salt/elasticsearch/files/ingest/bro_snmp @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, { "rename": { "field": "message2.community", "target_field": "community", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_socks b/salt/elasticsearch/files/ingest/bro_socks index 38c5dd528..421168baf 100644 --- a/salt/elasticsearch/files/ingest/bro_socks +++ b/salt/elasticsearch/files/ingest/bro_socks @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, { "rename": { "field": "message2.user", "target_field": "user", "ignore_missing": true } }, { "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_software b/salt/elasticsearch/files/ingest/bro_software index e742fda9e..c3cfc711b 100644 --- a/salt/elasticsearch/files/ingest/bro_software +++ b/salt/elasticsearch/files/ingest/bro_software @@ -13,8 +13,8 @@ { "rename": { "field": "message2.version.minor3", "target_field": "version_minor3", "ignore_missing": true } }, { "dot_expander": { "field": "version.addl", "path": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.version.addl", "target_field": "version_additional_info", "ignore_missing": true } }, - { "rename": { "field": "message2.host", "target_field": "source_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.host_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.host", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.host_p", "target_field": "source.port", "ignore_missing": true } }, { "rename": { "field": "message2.software_type", "target_field": "software_type", "ignore_missing": true } }, { "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } }, { "rename": { "field": "message2.unparsed_version", "target_field": "unparsed_version", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_ssh b/salt/elasticsearch/files/ingest/bro_ssh index 7df949503..583e5e1bb 100644 --- a/salt/elasticsearch/files/ingest/bro_ssh +++ b/salt/elasticsearch/files/ingest/bro_ssh @@ -3,13 +3,13 @@ "processors" : [ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "rename": { "field": "message2.hassh", "target_field": "hassh", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_ssl b/salt/elasticsearch/files/ingest/bro_ssl index 04d0fc8ec..83298b323 100644 --- a/salt/elasticsearch/files/ingest/bro_ssl +++ b/salt/elasticsearch/files/ingest/bro_ssl @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, { "rename": { "field": "message2.cipher", "target_field": "cipher", "ignore_missing": true } }, { "rename": { "field": "message2.curve", "target_field": "curve", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_syslog b/salt/elasticsearch/files/ingest/bro_syslog index 9599b435c..84d1bcdf2 100644 --- a/salt/elasticsearch/files/ingest/bro_syslog +++ b/salt/elasticsearch/files/ingest/bro_syslog @@ -4,14 +4,14 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.facility", "target_field": "facility", "ignore_missing": true } }, { "rename": { "field": "message2.severity", "target_field": "severity", "ignore_missing": true } }, { "remove": { "field": "message", "ignore_failure": true } }, diff --git a/salt/elasticsearch/files/ingest/bro_tunnels b/salt/elasticsearch/files/ingest/bro_tunnels index 50c12518f..daec8fba7 100644 --- a/salt/elasticsearch/files/ingest/bro_tunnels +++ b/salt/elasticsearch/files/ingest/bro_tunnels @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_type", "target_field": "tunnel_type", "ignore_missing": true } }, { "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } }, { "pipeline": { "name": "bro_common" } } diff --git a/salt/elasticsearch/files/ingest/bro_weird b/salt/elasticsearch/files/ingest/bro_weird index b471f5e75..1bf155514 100644 --- a/salt/elasticsearch/files/ingest/bro_weird +++ b/salt/elasticsearch/files/ingest/bro_weird @@ -4,13 +4,13 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } }, { "rename": { "field": "message2.addl", "target_field": "additional_info", "ignore_missing": true } }, { "rename": { "field": "message2.notice", "target_field": "notice", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index ed227258e..6463757ca 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -10,7 +10,7 @@ }, { "geoip": { - "field": "destination_ip", + "field": "destination.ip", "target_field": "destination_geo", "database_file": "GeoLite2-City.mmdb", "ignore_missing": true, @@ -19,7 +19,7 @@ }, { "geoip": { - "field": "source_ip", + "field": "source.ip", "target_field": "source_geo", "database_file": "GeoLite2-City.mmdb", "ignore_missing": true, diff --git a/salt/elasticsearch/files/ingest/strelka b/salt/elasticsearch/files/ingest/strelka new file mode 100644 index 000000000..8652fb912 --- /dev/null +++ b/salt/elasticsearch/files/ingest/strelka @@ -0,0 +1,12 @@ +{ + "description" : "strelka", + "processors" : [ + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } }, + { "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } }, + { "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } }, + { "rename": { "field": "scan.hash", "target_field": "file.hash", "ignore_missing": true } }, + { "remove": { "field": ["host", "path"], "ignore_missing": true } }, + { "pipeline": { "name": "common" } } + ] +} diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index b86ee0e83..93da70bdc 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -85,12 +85,6 @@ lspipelinedir: - group: 939 {% for PL in PIPELINES %} -ls_pipeline_{{PL}}: - file.directory: - - name: /opt/so/conf/logstash/pipelines/{{PL}} - - user: 931 - - group: 939 - {% for CONFIGFILE in PIPELINES[PL].config %} ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}: file.managed: @@ -103,10 +97,23 @@ ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}: {% endif %} - user: 931 - group: 939 + - makedirs: True {% endfor %} + +ls_pipeline_{{PL}}: + file.directory: + - name: /opt/so/conf/logstash/pipelines/{{PL}} + - user: 931 + - group: 939 + - require: + {% for CONFIGFILE in PIPELINES[PL].config %} + - file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} + {% endfor %} + - clean: True + {% endfor %} -#sync templates to /opt/so/conf/logstash/etc/ here +#sync templates to /opt/so/conf/logstash/etc {% for TEMPLATE in TEMPLATES %} ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: file.managed: @@ -129,7 +136,7 @@ lspipelinesyml: - defaults: pipelines: {{ PIPELINES }} -# Copy down all the configs including custom - TODO add watch restart +# Copy down all the configs lsetcsync: file.recurse: - name: /opt/so/conf/logstash/etc @@ -137,6 +144,11 @@ lsetcsync: - user: 931 - group: 939 - template: jinja + - clean: True + - require: +{% for TEMPLATE in TEMPLATES %} + - file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} +{% endfor %} - exclude_pat: pipelines* # Create the import directory @@ -176,12 +188,15 @@ so-logstash: - {{ BINDING }} {% endfor %} - binds: +{% for TEMPLATE in TEMPLATES %} + {% if 'jinja' in TEMPLATE.split('.')[-1] %} + - /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}:/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}:ro + {% else %} + - /opt/so/conf/logstash/etc/{{TEMPLATE.split('/')[1]}}:/{{TEMPLATE.split('/')[1]}}:ro + {% endif %} +{% endfor %} - /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro - /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - - /opt/so/conf/logstash/etc/logstash-template.json:/logstash-template.json:ro - - /opt/so/conf/logstash/etc/logstash-ossec-template.json:/logstash-ossec-template.json:ro - - /opt/so/conf/logstash/etc/logstash-strelka-template.json:/logstash-strelka-template.json:ro - - /opt/so/conf/logstash/etc/beats-template.json:/beats-template.json:ro - /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml - /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro - /opt/so/rules:/etc/nsm/rules:ro @@ -201,6 +216,14 @@ so-logstash: - /opt/so/log/strelka:/strelka:ro {%- endif %} - watch: - - file: /opt/so/conf/logstash/etc - - file: /opt/so/conf/logstash/pipelines - #- file: /opt/so/conf/logstash/rulesets + - file: lsetcsync +{% for PL in PIPELINES %} + - file: ls_pipeline_{{PL}} + {% for CONFIGFILE in PIPELINES[PL].config %} + - file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }} + {% endfor %} +{% endfor %} +{% for TEMPLATE in TEMPLATES %} + - file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} +{% endfor %} +# - file: /opt/so/conf/logstash/rulesets diff --git a/salt/logstash/pipelines/config/so/1033_preprocess_snort.conf b/salt/logstash/pipelines/config/so/1033_preprocess_snort.conf index 897a8ae4b..9b18bbc15 100644 --- a/salt/logstash/pipelines/config/so/1033_preprocess_snort.conf +++ b/salt/logstash/pipelines/config/so/1033_preprocess_snort.conf @@ -1,181 +1,125 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Updated by: Doug Burks -# Last Update: 3/15/2018 - filter { - if [type] == "ids" { - # This is the initial parsing of the log - if [engine] == "suricata" { - json { - source => "message" + if [engine] == "suricata" { + json { + source => "message" + } + mutate { + # Make this compatible with event.id as a string + convert => { "[flow_id]" => "string" } + rename => { + "proto" => "[network][transport]" + "event_type" => "[event][dataset]" + "flow_id" => "[event][id]" + "community_id" => "[network][community_id]" + } + lowercase => [ "[network][transport]" ] + merge => {"[event][id]" => "[related][id]" } + add_field => { + "[related][domain]" => [] + "[related][ip]" => [] + "[related][id]" => [] + "[event][module]" => "suricata" + "[event][created]" => "%{[@timestamp]}" + "[event][version]" => "1.0.0" + "[event][category]" => "network" + } + } + + # Set the timestamp from the event + date { + match => [ "timestamp", "ISO8601" ] + tag_on_failure => [ "_dateparsefailure", "_parsefailure", "_suricata_dateparsefailure" ] + remove_field => [ "timestamp" ] + } + + # Suricata uses top-level src/dest to track flow + if [src_ip] { + mutate { + rename => { + "[src_ip]" => "[source][ip]" + "[src_port]" => "[source][port]" } + merge => { "[related][ip]" => "[source][ip]" } + } + } + if [dest_ip] { + mutate { + rename => { + "[dest_ip]" => "[destination][ip]" + "[dest_port]" => "[destination][port]" + } + merge => { "[related][ip]" => "[destination][ip]" } + } + } + + if [vlan] { + mutate { + rename => { "[vlan]" => "[vlan][id]" } + } + } + if [app_proto] { + if [app_proto] == "failed" { + # delete failed detections to be consistent with zeek + mutate { rename => { "app_proto" => "[error][message]" } } + } + else { + mutate { rename => {"app_proto" => "[network][protocol]"}} + } + } + if [event_type] == "alert" { + if [alert][severity] == 1 { mutate { - rename => { "alert" => "orig_alert" } - rename => { "[orig_alert][gid]" => "gid" } - rename => { "[orig_alert][signature_id]" => "sid" } - rename => { "[orig_alert][rev]" => "rev" } - rename => { "[orig_alert][signature]" => "alert" } - rename => { "[orig_alert][category]" => "classification" } - rename => { "[orig_alert][severity]" => "priority" } - rename => { "[orig_alert][rule]" => "rule_signature" } - rename => { "app_proto" => "application_protocol" } - rename => { "dest_ip" => "destination_ip" } - rename => { "dest_port" => "destination_port" } - rename => { "in_iface" => "interface" } - rename => { "proto" => "protocol" } - rename => { "src_ip" => "source_ip" } - rename => { "src_port" => "source_port" } - #rename => { "[fileinfo][filename]" => "filename" } - #rename => { "[fileinfo][gaps]" => "gaps" } - #rename => { "[fileinfo][size]" => "size" } - #rename => { "[fileinfo][state]" => "state" } - #rename => { "[fileinfo][stored]" => "stored" } - #rename => { "[fileinfo][tx_id]" => "tx_id" } - #rename => { "[flow][age]" => "duration" } - #rename => { "[flow][alerted]" => "flow_alerted" } - #rename => { "[flow][bytes_toclient]" => "bytes_to_client" } - #rename => { "[flow][bytes_toserver]" => "bytes_to_server" } - #rename => { "[flow][end]" => "flow_end" } - #rename => { "[flow][pkts_toclient]" => "packets_to_client" } - #rename => { "[flow][pkts_toserver]" => "packets_to_server" } - #rename => { "[flow][reason]" => "reason" } - #rename => { "[flow][start]" => "flow_start" } - #rename => { "[flow][state]" => "state" } - #rename => { "[netflow][age]" => "duration" } - #rename => { "[netflow][bytes]" => "bytes" } - #rename => { "[netflow][end]" => "netflow_end" } - #rename => { "[netflow][start]" => "netflow_start" } - #rename => { "[netflow][pkts]" => "packets" } - rename => { "[alert][action]" => "action" } - rename => { "[alert][category]" => "category" } - rename => { "[alert][gid]" => "gid" } - rename => { "[alert][rev]" => "rev" } - rename => { "[alert][severity]" => "severity" } - rename => { "[alert][signature]" => "signature" } - rename => { "[alert][signature_id]" => "sid" } - #rename => { "[dns][aa]" => "aa" } - #rename => { "[dns][flags]" => "flags" } - #rename => { "[dns][id]" => "id" } - #rename => { "[dns][qr]" => "qr" } - #rename => { "[dns][rcode]" => "rcode_name" } - #rename => { "[dns][rrname]" => "rrname" } - #rename => { "[dns][rrtype]" => "rrtype" } - #rename => { "[dns][tx_id]" => "tx_id" } - #rename => { "[dns][type]" => "record_type" } - #rename => { "[dns][version]" => "version" } - rename => { "[http][hostname]" => "virtual_host" } - rename => { "[http][http_content_type]" => "content_type" } - rename => { "[http][http_port]" => "http_port" } - rename => { "[http][http_method]" => "method" } - rename => { "[http][http_user_agent]" => "useragent" } - #rename => { "[http][length]" => "payload_length" } - #rename => { "[http][protocol]" => "http_version" } - rename => { "[http][status]" => "status_message" } - rename => { "[http][url]" => "url" } - #rename => { "[metadata][flowbits]" => "flowbits" } - rename => { "[tls][fingerprint]" => "certificate_serial_number" } - rename => { "[tls][issuerdn]" => "issuer_distinguished_name" } - rename => { "[tls][notafter]" => "certificate_not_valid_after" } - rename => { "[tls][notbefore]" => "certificate_not_valid_before" } - rename => { "[tls][subject]" => "certificate_common_name" } - rename => { "[tls][version]" => "tls_version" } - rename => { "event_type" => "ids_event_type" } - remove_field => [ "offset", "orig_alert", "beat", "input", "prospector" ] - remove_tag => [ "beats_input_codec_plain_applied" ] - add_tag => [ "eve" ] - - } - } else { + add_field => { "severity" => "High" } + } + } + if [alert][severity] == 2 { + mutate { + add_field => { "severity" => "Medium" } + } + } + if [alert][severity] == 3 { + mutate { + add_field => { "severity" => "Low" } + } + } + # If the alert is a Snort GPL alert break it apart for easier reading and categorization + if [alert][signature] =~ "GPL " { + # This will parse out the category type from the alert grok { - match => ["message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}", - "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+<%{DATA:interface}>\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", - "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+%{IPV4:destination_ip}:%{INT:destination_port}", - "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip})", - "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip}):%{INT:source_port}\s+->\s+(?:%{IPV4:destination_ip}|%{IPV6:destination_ip}):%{INT:destination_port}", - "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}\s(?:%{IPV4:source_ip}|%{IPV6:source_ip})\s+->\s+(?:%{IPV4:source_ip}|%{IPV6:source_ip})", - "message", "\[%{INT:gid}:%{INT:sid}:%{INT:rev}\]\s%{DATA:alert}\[Classification:\s+%{DATA:classification}\]\s+\[Priority:\s+%{INT:priority}\]:\s+{%{DATA:protocol}}", - "message", "\A%{TIME} pid\(%{INT}\) Alert Received: %{INT} %{INT:priority} %{DATA:classification} %{DATA:interface} \{%{DATA:timestamp}} %{INT} %{INT} \{%{DATA:alert}} %{IP:source_ip} %{IP:destination_ip} %{INT:protocol} %{INT:source_port} %{INT:destination_port} %{INT:gid} %{INT:sid} %{INT:rev} %{INT} %{INT}\Z", - "message", "%{GREEDYDATA:alert}"] + match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" } } - } - if [timestamp] { + # This will store the category mutate { - add_field => { "logstash_timestamp" => "%{@timestamp}" } + add_field => { "rule_type" => "Snort GPL" } + lowercase => [ "category" ] } - mutate { - convert => { "logstash_timestamp" => "string" } - } - date { - match => [ "timestamp", "ISO8601" ] - } - mutate { - rename => { "logstash_timestamp" => "timestamp" } - } - } - - # If the alert is a Snort GPL alert break it apart for easier reading and categorization - if [alert] =~ "GPL " { - # This will parse out the category type from the alert - grok { - match => { "alert" => "GPL\s+%{DATA:category}\s" } } - # This will store the category - mutate { - add_field => { "rule_type" => "Snort GPL" } - lowercase => [ "category"] + # If the alert is an Emerging Threat alert break it apart for easier reading and categorization + if [alert][signature] =~ "ET " { + # This will parse out the category type from the alert + grok { + match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" } + } + # This will store the category + mutate { + add_field => { "rule_type" => "Emerging Threats" } + lowercase => [ "category" ] } - } - # If the alert is an Emerging Threat alert break it apart for easier reading and categorization - if [alert] =~ "ET " { - # This will parse out the category type from the alert - grok { - match => { "alert" => "ET\s+%{DATA:category}\s" } } - # This will store the category - mutate { - add_field => { "rule_type" => "Emerging Threats" } - lowercase => [ "category"] + # This section adds URLs to lookup information about a rule online + if [rule_type] == "Snort GPL" { + mutate { + add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ] + } + } + if [rule_type] == "Emerging Threats" { + mutate { + add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ] + } } } - # I recommend changing the field types below to integer so searches can do greater than or less than - # and also so math functions can be ran against them mutate { - convert => [ "source_port", "integer" ] - convert => [ "destination_port", "integer" ] - convert => [ "gid", "integer" ] - convert => [ "sid", "integer" ] - # remove_field => [ "message"] + remove_field => [ "alert" ] } - # This will translate the priority field into a severity field of either High, Medium, or Low - if [priority] == 1 { - mutate { - add_field => { "severity" => "High" } - } - } - if [priority] == 2 { - mutate { - add_field => { "severity" => "Medium" } - } - } - if [priority] == 3 { - mutate { - add_field => { "severity" => "Low" } - } - } - # This section adds URLs to lookup information about a rule online - if [sid] and [sid] > 0 and [sid] < 1000000 { - mutate { - add_field => [ "signature_info", "https://www.snort.org/search?query=%{gid}-%{sid}" ] - } - } - if [sid] and [sid] > 1999999 and [sid] < 2999999 { - mutate { - add_field => [ "signature_info", "http://doc.emergingthreats.net/%{sid}" ] - } - } -# mutate { - #add_tag => [ "conf_file_1033"] -# } } } diff --git a/salt/logstash/pipelines/templates/so/logstash-bro-template.json b/salt/logstash/pipelines/templates/so/logstash-bro-template.json new file mode 100644 index 000000000..124d3c92c --- /dev/null +++ b/salt/logstash/pipelines/templates/so/logstash-bro-template.json @@ -0,0 +1,3619 @@ +{ + "index_patterns": ["logstash-ids-*", "logstash-firewall-*", "logstash-syslog-*", "logstash-bro-*", "logstash-import-*", "logstash-beats-*"], + "version":50001, + "order" : 0, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + }, + "mappings":{ + "doc":{ + "dynamic": false, + "date_detection": false, + "properties":{ + "@timestamp":{ + "type":"date" + }, + "@version":{ + "type":"keyword" + }, + "geoip":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "destination_geo":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "source_geo":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "signature_info":{ + "type":"keyword" + }, + "aa":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ack":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "action":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "additional_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "age":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "alert":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "alert_level":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "analyzer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "answers":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "assigned_ip":{ + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "auth":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "authentication_attempts":{ + "type":"long" + }, + "authentication_method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "authentication_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "basic_constraints":{ + "type":"object", + "properties":{ + "path_len": { + "type": "text" + } + } + }, + "basic_constraints_ca":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "basic_constraints_path_length":{ + "type":"long" + }, + "bound_port":{ + "type":"long" + }, + "call_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "category":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cc":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_chain_count":{ + "type":"long" + }, + "certificate_chain_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_common_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_common_name_frequency_score":{ + "type":"long" + }, + "certificate_common_name_length":{ + "type":"long" + }, + "certificate_count":{ + "type":"long" + }, + "certificate_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_curve":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_exponent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_issuer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_key_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_key_length":{ + "type":"long" + }, + "certificate_key_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_locality":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_not_valid_after":{ + "type":"date" + }, + "certificate_not_valid_before":{ + "type":"date" + }, + "certificate_number_days_valid":{ + "type":"long" + }, + "certificate_organization":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_organization_unit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_permanent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_serial":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_serial_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_signing_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "checksum":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cipher":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cipher_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "class":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "classification":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_build":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_chain_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_digital_product_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_fqdn":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_issuer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_major_version":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_minor_version":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "community":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "company":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "compile_ts":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "compression_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connect_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connection_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connection_state_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "content_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cookie":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "creation_date":{ + "type":"date" + }, + "creation_time":{ + "type":"date" + }, + "client_host_key_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "current_directory":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "curve":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "data_channel_destination_ip":{ + "type":"ip" + }, + "data_channel_destination_port":{ + "type":"long" + }, + "data_channel_passive":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "data_channel_source_ip":{ + "type":"ip" + }, + "data_length":{ + "type":"long" + }, + "date":{ + "type":"text" + }, + "dcc_file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dcc_file_size":{ + "type":"long" + }, + "dcc_mime_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "depth":{ + "type":"long" + }, + "description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "desktop_height":{ + "type":"long" + }, + "desktop_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "desktop_width":{ + "type":"long" + }, + "dest_is_ipv6":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination":{ + "type":"object", + "dynamic": true + }, + "destination_city":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.city_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.continent_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.dma_code":{ + "type":"long" + }, + "destination_geo.ip":{ + "type":"ip" + }, + "destination_geo.latitude":{ + "type":"long" + }, + "destination_geo.location":{ + "type":"geo_point" + }, + "destination_geo.longitude":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.postal_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.region_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.country_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.region_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.timezone":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_ip":{ + "type":"ip" + }, + "destination_ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_latitude":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_longitude":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_port":{ + "type":"long" + }, + "destination_port_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_region":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "details":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dir":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "direction":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "display_string":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "domain_age":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "domain_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dropped":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "duration":{ + "type":"long" + }, + "valid_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "enabled":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "encryption_level":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "encryption_method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "endpoint":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "entry":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "entry_location":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "error_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "escalated_user":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "established":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "event_id":{ + "type":"long" + }, + "event_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "event_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "exception":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "extracted":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "extracted_cutoff":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "facility":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fc_reply":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fc_request":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_ip":{ + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_mime_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_size":{ + "type":"long" + }, + "first_received":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "flow_label":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "forwardable":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "framed_addr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "freq_virtual_host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "frequency_scores":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ftp_argument":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ftp_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "function":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "geoip.ip":{ + "type":"ip" + }, + "geoip.latitude":{ + "type":"long" + }, + "geoip.location":{ + "type":"geo_point" + }, + "geoip.longitude":{ + "type":"long" + }, + "get_bulk_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "get_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "get_responses":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "gid":{ + "type":"long" + }, + "has_cert_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_debug_data":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_export_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_import_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_server":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_server_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "height":{ + "type":"long" + }, + "helo":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "highest_registered_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "highest_registered_domain_frequency_score":{ + "type":"long" + }, + "history":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hop_limit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host_key":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host_key_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "iin":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "image_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "in_reply_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "indicator":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "indicator_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "info_code":{ + "type":"long" + }, + "info_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "initiated":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "integrity_level":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "interface":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ip_version":{ + "type":"long" + }, + "ipv4_ecn":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_flags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_offset":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol_length":{ + "type":"long" + }, + "ipv4_tos":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_ttl":{ + "type":"long" + }, + "irc_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "irc_username":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_64bit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_exe":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_orig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_source_ipv6":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_webmail":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_common_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_common_name_frequency_score":{ + "type":"long" + }, + "issuer_common_name_length":{ + "type":"long" + }, + "issuer_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_distinguished_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_locality":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_organization":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_organization_frequency_score":{ + "type":"long" + }, + "issuer_organization_unit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_serial_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ja3":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ja3s":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "kerberos_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "kex_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "keyboard_layout":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "last_alert":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "last_reply":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "launch_string":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "lease_time":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "length":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "local_orig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "local_respond":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "location":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "log_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "log_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logged":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logon_guid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logon_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logstash_time":{ + "type":"long" + }, + "mac":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mac_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "machine":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mail_date":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mail_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "matched":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "md5":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mimetype":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "missed_bytes":{ + "type":"long" + }, + "missing_bytes":{ + "type":"long" + }, + "msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_argument":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "n":{ + "type":"long" + }, + "name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "named_pipe":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "native_file_system":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "next_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "nick":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "note":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "notice":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ntlm_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "num_packets":{ + "type":"long" + }, + "object_size":{ + "type":"long" + }, + "operation":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "options":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_filenames":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_mime_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "original_bytes":{ + "type":"long" + }, + "original_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "original_ip_bytes":{ + "type":"long" + }, + "original_packets":{ + "type":"long" + }, + "os":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ossec_agent_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ossec_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "overflow_bytes":{ + "type":"long" + }, + "p":{ + "type":"long" + }, + "parent_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_domain_frequency_score":{ + "type":"long" + }, + "parent_domain_length":{ + "type":"long" + }, + "parent_image_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_guid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "password":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "peer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "peer_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pesha1":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pesha256":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pid":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "port":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "prev_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "priority":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_arguments":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_guid":{ + "type":"long" + }, + "process_id":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "profile":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "program":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "proxied":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query_class":{ + "type":"long" + }, + "query_class_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query_length":{ + "type":"long" + }, + "query_type":{ + "type":"long" + }, + "query_type_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ra":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rcode":{ + "type":"long" + }, + "rcode_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rd":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reason":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "recipient_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "referrer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rejected":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "remote_ip":{ + "type":"ip" + }, + "remote_location":{ + "type":"object", + "properties":{ + "country_code": { + "type": "text" + } + } + }, + "renewable":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_body_len":{ + "type":"long" + }, + "request_body_length":{ + "type":"long" + }, + "request_from":{ + "type":"text" + }, + "request_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_port":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_color_depth":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_resource":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_filenames":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_mime_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "respond_bytes":{ + "type":"long" + }, + "respond_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "respond_ip_bytes":{ + "type":"long" + }, + "respond_packets":{ + "type":"long" + }, + "response":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_body_len":{ + "type":"long" + }, + "response_body_length":{ + "type":"long" + }, + "response_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "result":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resumed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rev":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rows":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rtt":{ + "type":"float", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule_number":{ + "type":"long" + }, + "rule_signature":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "san_dns":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "second_received":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "section_names":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "security_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seen_bytes":{ + "type":"long" + }, + "seen_node":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seen_where":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sensor_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seq":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sequence_number":{ + "type":"long" + }, + "server":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_certificate_fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_dns_computer_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_major_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_minor_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_name_frequency_score":{ + "type":"long" + }, + "server_name_length":{ + "type":"long" + }, + "server_nb_computer_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_tree_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "service":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "set_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "severity":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sha1":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sha256":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "share_flag":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "share_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sid":{ + "type":"long" + }, + "signer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "site":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "size":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "software_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source":{ + "type":"object", + "dynamic": true + }, + "source_geo.city_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.continent_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.dma_code":{ + "type":"long" + }, + "source_geo.ip":{ + "type":"ip" + }, + "source_geo.latitude":{ + "type":"long" + }, + "source_geo.location":{ + "type":"geo_point" + }, + "source_geo.longitude":{ + "type":"long" + }, + "source_geo.postal_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.region_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.region_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.timezone":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_ip":{ + "type":"ip" + }, + "source_ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_port":{ + "type":"long" + }, + "source_port_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sources":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_host_key_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status_code":{ + "type":"long" + }, + "status_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status_msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sub_msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sub_rule_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subdomain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subdomain_frequency_score":{ + "type":"long" + }, + "subdomain_length":{ + "type":"long" + }, + "subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subsystem":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "suppress_for":{ + "type":"long" + }, + "syslog-facility":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-host_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-legacy_msghdr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-pid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-priority":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-sourceip":{ + "type":"ip" + }, + "syslog-tags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sysmon_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "target_filename":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tc":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tcp_flags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "terminal_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "valid_till":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + + "timed_out":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_accessed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_changed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_created":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_modified":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tld.subdomain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tls":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "top_level_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "total_bytes":{ + "type":"long" + }, + "tracker_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "trans_depth":{ + "type":"long" + }, + "transaction_id":{ + "type":"long" + }, + "ttls":{ + "type":"text" + }, + "tty":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tunnel_parents":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tunnel_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "unparsed_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "up_since":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "urg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uri":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uri_length":{ + "type":"long" + }, + "username":{ + "type":"text", + "fields": { + "keyword":{ + "type":"keyword" + } + } + }, + "user_agent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "useragent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "useragent_length":{ + "type":"long" + }, + "uses_aslr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_code_integrity":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_dep":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_seh":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "validation_status":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "value":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_additional_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_major":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor2":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor3":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "virtual_host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "virtual_host_frequency_score":{ + "type":"long" + }, + "virtual_host_length":{ + "type":"long" + }, + "warning":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "width":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "window":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "x_originating_ip":{ + "type":"ip" + }, + "year":{ + "type":"long" + }, + "z":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + } + } + } + } +} diff --git a/salt/logstash/pipelines/templates/so/logstash-template.json b/salt/logstash/pipelines/templates/so/logstash-template.json index f23c7b58a..124d3c92c 100644 --- a/salt/logstash/pipelines/templates/so/logstash-template.json +++ b/salt/logstash/pipelines/templates/so/logstash-template.json @@ -738,6 +738,10 @@ } } }, + "destination":{ + "type":"object", + "dynamic": true + }, "destination_city":{ "type":"text", "fields":{ @@ -2946,6 +2950,10 @@ } } }, + "source":{ + "type":"object", + "dynamic": true + }, "source_geo.city_name":{ "type":"text", "fields":{ diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 803886d2b..3f3191583 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -54,36 +54,8 @@ strelkastagedir: - group: 939 - makedirs: True - -so-strelka-frontendimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5 - -so-strelka-coordinatorimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10 - -so-strelka-gatekeeperimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/redis:5.0.5-alpine3.10 - -so-strelka-backendimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5 - -so-strelka-managerimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-manager:HH1.1.5 - -so-strelka-backendimage: - cmd.run: - - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-strelka-backend:HH1.1.5 - - strelka_coordinator: docker_container.running: - - require: - - so-strelka-coordinatorimage - image: docker.io/redis:5.0.5-alpine3.10 - name: so-strelka-coordinator - command: redis-server --save "" --appendonly no @@ -92,19 +64,15 @@ strelka_coordinator: strelka_gatekeeper: docker_container.running: - - require: - - so-strelka-gatekeeperimage - image: docker.io/redis:5.0.5-alpine3.10 - name: so-strelka-gatekeeper - command: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: - 0.0.0.0:6381:6379 - + strelka_frontend: docker_container.running: - - require: - - so-strelka-frontendimage - - image: docker.io/soshybridhunter/so-strelka-frontend:HH1.1.5 + - image: soshybridhunter/so-strelka-frontend:HH1.2.1 - binds: - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /opt/so/log/strelka/:/var/log/strelka/:rw @@ -116,9 +84,7 @@ strelka_frontend: strelka_backend: docker_container.running: - - require: - - so-strelka-backendimage - - image: docker.io/soshybridhunter/so-strelka-backend:HH1.1.5 + - image: soshybridhunter/so-strelka-backend:HH1.2.1 - restart_policy: unless-stopped - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro @@ -128,9 +94,7 @@ strelka_backend: strelka_manager: docker_container.running: - - require: - - so-strelka-managerimage - - image: docker.io/soshybridhunter/so-strelka-manager:HH1.1.5 + - image: soshybridhunter/so-strelka-manager:HH1.2.1 - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager @@ -138,12 +102,9 @@ strelka_manager: strelka_filestream: docker_container.running: - - require: - - so-strelka-filestreamimage - - image: docker.io/soshybridhunter/so-strelka-filestream:HH1.1.5 - - image: docker.io/wlambert/sfilestream:grpc + - image: soshybridhunter/so-strelka-filestream:HH1.2.1 - binds: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka - name: so-strelka-filestream - - command: strelka-filestream + - command: strelka-filestream diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek index b902eee32..bbb4a78be 100644 --- a/salt/zeek/files/local.zeek +++ b/salt/zeek/files/local.zeek @@ -124,3 +124,6 @@ redef LogAscii::json_timestamps = JSON::TS_ISO8601; # BPF Configuration @load securityonion/bpfconf + +# Extracted files +@load securityonion/file-extraction diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek index 7f0f1c902..b8e8478bd 100644 --- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek +++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek @@ -16,6 +16,6 @@ event file_sniff(f: fa_file, meta: fa_metadata) if ( meta?$mime_type ) ext = ext_map[meta$mime_type]; - local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext); + local fname = fmt("/nsm/zeek/extracted/%s-%s.%s", f$source, f$id, ext); Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); }