diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index e586100da..2f237cac1 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -48,6 +48,7 @@ elasticfleet: - cisco_ios - cisco_ise - cisco_meraki + - cisco_secure_email_gateway - cisco_umbrella - citrix_adc - citrix_waf @@ -108,6 +109,7 @@ elasticfleet: - ti_cybersixgill - ti_misp - ti_otx + - ti_rapid7_threat_command - ti_recordedfuture - ti_threatq - trendmicro diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 618d778ea..56ac2475c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3211,6 +3211,50 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-cisco_secure_email_gateway_x_log: + index_sorting: false + index_template: + composed_of: + - logs-cisco_secure_email_gateway.log@package + - logs-cisco_secure_email_gateway.log@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cisco_secure_email_gateway.log@custom + index_patterns: + - logs-cisco_secure_email_gateway.log-* + priority: 501 + template: + settings: + index: + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-cisco_umbrella_x_log: index_sorting: false index_template: @@ -10399,6 +10443,138 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-ti_rapid7_threat_command_x_alert: + index_sorting: false + index_template: + composed_of: + - logs-ti_rapid7_threat_command.alert@package + - logs-ti_rapid7_threat_command.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-ti_rapid7_threat_command.alert@custom + index_patterns: + - logs-ti_rapid7_threat_command.alert-* + priority: 501 + template: + settings: + index: + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_rapid7_threat_command_x_ioc: + index_sorting: false + index_template: + composed_of: + - logs-ti_rapid7_threat_command.ioc@package + - logs-ti_rapid7_threat_command.ioc@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-ti_rapid7_threat_command.ioc@custom + index_patterns: + - logs-ti_rapid7_threat_command.ioc-* + priority: 501 + template: + settings: + index: + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-ti_rapid7_threat_command_x_vulnerability: + index_sorting: false + index_template: + composed_of: + - logs-ti_rapid7_threat_command.vulnerability@package + - logs-ti_rapid7_threat_command.vulnerability@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-ti_rapid7_threat_command.vulnerability@custom + index_patterns: + - logs-ti_rapid7_threat_command.vulnerability-* + priority: 501 + template: + settings: + index: + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-ti_recordedfuture_x_latest_ioc-template: index_sorting: false index_template: diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +}