mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
merge in dev
This commit is contained in:
Josh Brower
@@ -29,7 +29,11 @@
|
||||
|
||||
* See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting.
|
||||
|
||||
* Minor bug fixes can be submitted immediately. However, if you are wanting to make more involved changes, please start a [discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions) first and tell us what you are hoping to achieve. If we agree with your goals, then you can submit the PR.
|
||||
* Change behavior (fix a bug, add a new feature) separately from refactoring code. Refactor pull requests are welcome, but ensure your new code behaves exactly the same as the old.
|
||||
|
||||
* **Do not refactor code for non-functional reasons**. If you are submitting a pull request that refactors code, ensure the refactor is improving the functionality of the code you're refactoring (e.g. decreasing complexity, removing reliance on 3rd party tools, improving performance).
|
||||
|
||||
* Before submitting a PR with significant changes to the project, [start a discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions/new) explaining what you hope to acheive. The project maintainers will provide feedback and determine whether your goal aligns with the project.
|
||||
|
||||
|
||||
### Code style and conventions
|
||||
@@ -38,3 +42,5 @@
|
||||
* All new Bash code should pass [ShellCheck](https://www.shellcheck.net/) analysis. Where errors can be *safely* [ignored](https://github.com/koalaman/shellcheck/wiki/Ignore), the relevant disable directive should be accompanied by a brief explanation as to why the error is being ignored.
|
||||
|
||||
* **Ensure all YAML (this includes Salt states and pillars) is properly formatted**. The spec for YAML v1.2 can be found [here](https://yaml.org/spec/1.2/spec.html), however there are numerous online resources with simpler descriptions of its formatting rules.
|
||||
|
||||
* **All code of any language should match the style of other code of that same language within the project.** Be sure that any changes you make do not break from the pre-existing style of Security Onion code.
|
||||
|
||||
@@ -1,14 +1,2 @@
|
||||
elasticsearch:
|
||||
templates:
|
||||
- so/so-beats-template.json.jinja
|
||||
- so/so-case-template.json.jinja
|
||||
- so/so-common-template.json.jinja
|
||||
- so/so-firewall-template.json.jinja
|
||||
- so/so-flow-template.json.jinja
|
||||
- so/so-ids-template.json.jinja
|
||||
- so/so-import-template.json.jinja
|
||||
- so/so-osquery-template.json.jinja
|
||||
- so/so-ossec-template.json.jinja
|
||||
- so/so-strelka-template.json.jinja
|
||||
- so/so-syslog-template.json.jinja
|
||||
- so/so-zeek-template.json.jinja
|
||||
|
||||
@@ -1,15 +1,2 @@
|
||||
elasticsearch:
|
||||
templates:
|
||||
- so/so-beats-template.json.jinja
|
||||
- so/so-case-template.json.jinja
|
||||
- so/so-common-template.json.jinja
|
||||
- so/so-endgame-template.json.jinja
|
||||
- so/so-firewall-template.json.jinja
|
||||
- so/so-flow-template.json.jinja
|
||||
- so/so-ids-template.json.jinja
|
||||
- so/so-import-template.json.jinja
|
||||
- so/so-osquery-template.json.jinja
|
||||
- so/so-ossec-template.json.jinja
|
||||
- so/so-strelka-template.json.jinja
|
||||
- so/so-syslog-template.json.jinja
|
||||
- so/so-zeek-template.json.jinja
|
||||
|
||||
@@ -1,15 +1,2 @@
|
||||
elasticsearch:
|
||||
templates:
|
||||
- so/so-beats-template.json.jinja
|
||||
- so/so-case-template.json.jinja
|
||||
- so/so-common-template.json.jinja
|
||||
- so/so-endgame-template.json.jinja
|
||||
- so/so-firewall-template.json.jinja
|
||||
- so/so-flow-template.json.jinja
|
||||
- so/so-ids-template.json.jinja
|
||||
- so/so-import-template.json.jinja
|
||||
- so/so-osquery-template.json.jinja
|
||||
- so/so-ossec-template.json.jinja
|
||||
- so/so-strelka-template.json.jinja
|
||||
- so/so-syslog-template.json.jinja
|
||||
- so/so-zeek-template.json.jinja
|
||||
|
||||
23
salt/common/tools/sbin/so-elasticsearch-component-templates-list
Executable file
23
salt/common/tools/sbin/so-elasticsearch-component-templates-list
Executable file
@@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright 2014-2022 Security Onion Solutions, LLC
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
. /usr/sbin/so-common
|
||||
if [ "$1" == "" ]; then
|
||||
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
|
||||
else
|
||||
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq
|
||||
fi
|
||||
23
salt/common/tools/sbin/so-elasticsearch-index-templates-list
Executable file
23
salt/common/tools/sbin/so-elasticsearch-index-templates-list
Executable file
@@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright 2014-2022 Security Onion Solutions, LLC
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
|
||||
. /usr/sbin/so-common
|
||||
if [ "$1" == "" ]; then
|
||||
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
|
||||
else
|
||||
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq
|
||||
fi
|
||||
@@ -53,6 +53,8 @@ if [ "$CONTINUE" == "y" ]; then
|
||||
docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'$NEW_IP' IDENTIFIED BY '$(lookup_pillar_secret 'mysql')' WITH GRANT OPTION;" &> /dev/null
|
||||
echo "Removing MySQL root user from $OLD_IP"
|
||||
docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "DROP USER 'root'@'$OLD_IP';" &> /dev/null
|
||||
echo "Updating Kibana dashboards"
|
||||
salt-call state.apply kibana.so_savedobjects_defaults -l info queue=True
|
||||
|
||||
echo "The IP has been changed from $OLD_IP to $NEW_IP."
|
||||
|
||||
|
||||
@@ -15,10 +15,6 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
if ! [ "$(id -u)" = 0 ]; then
|
||||
echo "This command must be run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
display_help() {
|
||||
cat <<HELP_USAGE
|
||||
@@ -100,10 +96,15 @@ create_expected_container_list() {
|
||||
|
||||
}
|
||||
|
||||
# {% raw %}
|
||||
populate_container_lists() {
|
||||
# TODO: check exit code directly, not with $?
|
||||
systemctl is-active --quiet docker
|
||||
|
||||
if [[ $? = 0 ]]; then
|
||||
# TODO: look into using docker templates instead of curl and jq
|
||||
# Ex docker ps --format "{{.Names}}\t{{.State}}"
|
||||
# TODO: convert the output to an associtive array
|
||||
mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \
|
||||
| jq -c '.[] | { Name: .Names[0], State: .State }' \
|
||||
| tr -d '/{"}')
|
||||
@@ -167,60 +168,55 @@ parse_status() {
|
||||
fi
|
||||
}
|
||||
|
||||
# {% raw %}
|
||||
|
||||
print_line() {
|
||||
local service_name=${1}
|
||||
local service_state="$( parse_status ${1} ${2} )"
|
||||
local columns=$(tput cols)
|
||||
local state_color="\e[0m"
|
||||
local service_name="${1}"
|
||||
local service_state="" ; service_state="$( parse_status "${1}" "${2}" )"
|
||||
# XXX: What will we do if tput isn't avalable?
|
||||
local line=""
|
||||
local PADDING_CONSTANT=""
|
||||
local columns=35 # value used if not printing to a tty
|
||||
|
||||
local PADDING_CONSTANT=15
|
||||
if (( __tty == 1 )); then
|
||||
local reset_attr; reset_attr="$(tput sgr0)" # reset all attributes
|
||||
local bold; bold="$(tput bold)"
|
||||
local red; red="$(tput setaf 1)"
|
||||
local green; green="$(tput setaf 2)"
|
||||
local yellow; yellow="$(tput setaf 3)"
|
||||
PADDING_CONSTANT=15 # whitespace + brackets + 1
|
||||
|
||||
if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
|
||||
state_color="\e[1;31m"
|
||||
columns=$(tput cols)
|
||||
fi
|
||||
|
||||
# construct a line of '------' so that the names and states are all aligned
|
||||
linewidth=$(( columns - PADDING_CONSTANT - ${#service_name} - ${#service_state} ))
|
||||
for i in $(seq 0 "${linewidth}"); do
|
||||
line="${line}-"
|
||||
done
|
||||
|
||||
if [[ $service_state = "$ERROR_STRING" ]] \
|
||||
|| [[ $service_state = "$MISSING_STRING" ]]; then
|
||||
state_color="${red:-}"
|
||||
if [[ "$EXITCODE" -eq 0 ]]; then
|
||||
EXITCODE=1
|
||||
fi
|
||||
elif [[ $service_state = "$SUCCESS_STRING" ]]; then
|
||||
state_color="\e[1;32m"
|
||||
elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then
|
||||
state_color="\e[1;33m"
|
||||
state_color="${green:-}"
|
||||
elif [[ $service_state = "$PENDING_STRING" ]] \
|
||||
|| [[ $service_state = "$DISABLED_STRING" ]] \
|
||||
|| [[ $service_state = "$STARTING_STRING" ]] \
|
||||
|| [[ $service_state = "$WAIT_START_STRING" ]]; then
|
||||
state_color="${yellow:-}"
|
||||
EXITCODE=2
|
||||
fi
|
||||
|
||||
printf " $service_name "
|
||||
for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
|
||||
printf "${state_color}%b\e[0m" "-"
|
||||
done
|
||||
printf " [ "
|
||||
printf "${state_color}%b\e[0m" "$service_state"
|
||||
printf "%s \n" " ]"
|
||||
}
|
||||
|
||||
non_term_print_line() {
|
||||
local service_name=${1}
|
||||
local service_state="$( parse_status ${1} ${2} )"
|
||||
|
||||
if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
|
||||
if [[ "$EXITCODE" -eq 0 ]]; then
|
||||
EXITCODE=1
|
||||
fi
|
||||
elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then
|
||||
EXITCODE=2
|
||||
fi
|
||||
|
||||
printf " $service_name "
|
||||
for i in $(seq 0 $(( 35 - ${#service_name} - ${#service_state} ))); do
|
||||
printf "-"
|
||||
done
|
||||
printf " [ "
|
||||
printf "$service_state"
|
||||
printf "%s \n" " ]"
|
||||
service_state="${bold:-}${state_color:-}${service_state}${reset_attr:-}"
|
||||
line="${bold:-}${state_color:-}${line:-}${reset_attr:-}"
|
||||
printf " %s %s [ %s ] \n" "${service_name}" "${line:-}" "${service_state}"
|
||||
}
|
||||
|
||||
main() {
|
||||
|
||||
is_tty
|
||||
# if running from salt
|
||||
if [ "$CALLER" == 'salt-call' ] || [ "$CALLER" == 'salt-minion' ]; then
|
||||
printf "\n"
|
||||
@@ -228,20 +224,19 @@ main() {
|
||||
|
||||
systemctl is-active --quiet docker
|
||||
if [[ $? = 0 ]]; then
|
||||
non_term_print_line "Docker" "running"
|
||||
print_line "Docker" "running"
|
||||
else
|
||||
non_term_print_line "Docker" "exited"
|
||||
print_line "Docker" "exited"
|
||||
fi
|
||||
|
||||
populate_container_lists
|
||||
|
||||
printf "\n"
|
||||
printf "Checking container statuses\n\n"
|
||||
printf "\nChecking container statuses\n\n"
|
||||
|
||||
local num_containers=${#container_name_list[@]}
|
||||
|
||||
for i in $(seq 0 $(($num_containers - 1 ))); do
|
||||
non_term_print_line ${container_name_list[$i]} ${container_state_list[$i]}
|
||||
print_line ${container_name_list[$i]} ${container_state_list[$i]}
|
||||
done
|
||||
|
||||
printf "\n"
|
||||
@@ -257,9 +252,12 @@ main() {
|
||||
else
|
||||
print_or_parse="print_line"
|
||||
|
||||
local focus_color="\e[1;34m"
|
||||
printf "\n"
|
||||
printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
|
||||
if (( __tty == 1 )) ; then
|
||||
local bold; bold="$(tput bold)"
|
||||
local focus_color; focus_color="$(tput setaf 4)"
|
||||
local reset_attr; reset_attr="$(tput sgr0)" # reset all attributes
|
||||
fi
|
||||
printf "\n${bold}${focus_color:-}%s${reset_attr:-}\n\n" "Checking Docker status"
|
||||
fi
|
||||
|
||||
systemctl is-active --quiet docker
|
||||
@@ -272,8 +270,7 @@ main() {
|
||||
populate_container_lists
|
||||
|
||||
if [ "$QUIET" = false ]; then
|
||||
printf "\n"
|
||||
printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
|
||||
printf "\n${bold}${focus_color:-}%s${reset_attr:-}\n\n" "Checking container statuses"
|
||||
fi
|
||||
|
||||
local num_containers=${#container_name_list[@]}
|
||||
@@ -288,20 +285,30 @@ main() {
|
||||
fi
|
||||
}
|
||||
|
||||
is_tty() {
|
||||
__tty=0
|
||||
[ -t 1 ] && __tty=1
|
||||
# don't print colors if NO_COLOR is set to anything
|
||||
[ "${#NO_COLOR}" -ne 0 ] && __tty=0
|
||||
}
|
||||
|
||||
# {% endraw %}
|
||||
|
||||
if ! [ "$(id -u)" = 0 ]; then
|
||||
echo "${0}: This command must be run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
while getopts ':hq' OPTION; do
|
||||
case "$OPTION" in
|
||||
h)
|
||||
display_help
|
||||
exit 0
|
||||
;;
|
||||
q)
|
||||
QUIET=true
|
||||
;;
|
||||
q) QUIET=true ;;
|
||||
\?)
|
||||
display_help
|
||||
exit 0
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@@ -29,7 +29,7 @@ if [[ $# -lt 1 || $# -gt 3 ]]; then
|
||||
echo " add: Adds a new user to the identity system; requires 'email' parameter, while 'role' parameter is optional and defaults to $DEFAULT_ROLE"
|
||||
echo " addrole: Grants a role to an existing user; requires 'email' and 'role' parameters"
|
||||
echo " delrole: Removes a role from an existing user; requires 'email' and 'role' parameters"
|
||||
echo " update: Updates a user's password; requires 'email' parameter"
|
||||
echo " update: Updates a user's password and disables MFA; requires 'email' parameter"
|
||||
echo " enable: Enables a user; requires 'email' parameter"
|
||||
echo " disable: Disables a user; requires 'email' parameter"
|
||||
echo " validate: Validates that the given email address and password are acceptable; requires 'email' parameter"
|
||||
@@ -98,7 +98,7 @@ function validatePassword() {
|
||||
password=$1
|
||||
|
||||
len=$(expr length "$password")
|
||||
if [[ $len -lt 6 ]]; then
|
||||
if [[ $len -lt 8 ]]; then
|
||||
fail "Password does not meet the minimum requirements"
|
||||
fi
|
||||
if [[ $len -gt 72 ]]; then
|
||||
@@ -147,7 +147,10 @@ function updatePassword() {
|
||||
# Generate password hash
|
||||
passwordHash=$(hashPassword "$password")
|
||||
# Update DB with new hash
|
||||
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}';" | sqlite3 "$databasePath"
|
||||
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 "$databasePath"
|
||||
# Deactivate MFA
|
||||
echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 "$databasePath"
|
||||
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 "$databasePath"
|
||||
[[ $? != 0 ]] && fail "Unable to update password"
|
||||
fi
|
||||
}
|
||||
@@ -244,10 +247,12 @@ function syncElastic() {
|
||||
if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then
|
||||
# Append the SOC users
|
||||
echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
|
||||
"from identity_credential_identifiers ici, identity_credentials ic, identities i " \
|
||||
"from identity_credential_identifiers ici, identity_credentials ic, identities i, identity_credential_types ict " \
|
||||
"where " \
|
||||
" ici.identity_credential_id=ic.id " \
|
||||
" and ic.identity_id=i.id " \
|
||||
" and ict.id=ic.identity_credential_type_id " \
|
||||
" and ict.name='password' " \
|
||||
" and instr(ic.config, 'hashed_password') " \
|
||||
" and i.state == 'active' " \
|
||||
"order by ici.identifier;" | \
|
||||
@@ -261,8 +266,11 @@ function syncElastic() {
|
||||
userId=$(echo "$rolePair" | cut -d: -f2)
|
||||
role=$(echo "$rolePair" | cut -d: -f1)
|
||||
echo "select '$role:' || ici.identifier " \
|
||||
"from identity_credential_identifiers ici, identity_credentials ic " \
|
||||
"where ici.identity_credential_id=ic.id and ic.identity_id = '$userId';" | \
|
||||
"from identity_credential_identifiers ici, identity_credentials ic, identity_credential_types ict " \
|
||||
"where ici.identity_credential_id=ic.id " \
|
||||
" and ict.id=ic.identity_credential_type_id " \
|
||||
" and ict.name='password' " \
|
||||
" and ic.identity_id = '$userId';" | \
|
||||
sqlite3 "$databasePath" >> "$rolesTmpFile"
|
||||
done < "$socRolesFile"
|
||||
|
||||
|
||||
@@ -403,6 +403,7 @@ preupgrade_changes() {
|
||||
[[ "$INSTALLEDVERSION" == 2.3.50 || "$INSTALLEDVERSION" == 2.3.51 || "$INSTALLEDVERSION" == 2.3.52 || "$INSTALLEDVERSION" == 2.3.60 || "$INSTALLEDVERSION" == 2.3.61 || "$INSTALLEDVERSION" == 2.3.70 ]] && up_to_2.3.80
|
||||
[[ "$INSTALLEDVERSION" == 2.3.80 ]] && up_to_2.3.90
|
||||
[[ "$INSTALLEDVERSION" == 2.3.90 || "$INSTALLEDVERSION" == 2.3.91 ]] && up_to_2.3.100
|
||||
[[ "$INSTALLEDVERSION" == 2.3.100 ]] && up_to_2.3.110
|
||||
true
|
||||
}
|
||||
|
||||
@@ -704,7 +705,6 @@ up_to_2.3.90() {
|
||||
}
|
||||
|
||||
up_to_2.3.100() {
|
||||
echo "Updating to Security Onion 2.3.100"
|
||||
fix_wazuh
|
||||
|
||||
echo "Removing /opt/so/state files for patched Salt InfluxDB module and state. This is due to Salt being upgraded and needing to patch the files again."
|
||||
@@ -721,6 +721,12 @@ up_to_2.3.100() {
|
||||
grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || sed -i -e '$a\ receiver:' /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml
|
||||
}
|
||||
|
||||
up_to_2.3.110() {
|
||||
echo "Updating to Security Onion 2.3.110"
|
||||
echo "Updating shard settings for Elasticsearch index templates"
|
||||
sed -i 's|shards|index_template:\n template:\n settings:\n index:\n number_of_shards|g' /opt/so/saltstack/local/pillar/global.sls
|
||||
}
|
||||
|
||||
verify_upgradespace() {
|
||||
CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
|
||||
if [ "$CURRENTSPACE" -lt "10" ]; then
|
||||
|
||||
@@ -18,6 +18,10 @@ actions:
|
||||
- filtertype: pattern
|
||||
kind: regex
|
||||
value: '^(logstash-.*|so-.*)$'
|
||||
- filtertype: pattern
|
||||
kind: regex
|
||||
value: '^(so-case.*)$'
|
||||
exclude: True
|
||||
- filtertype: space
|
||||
source: creation_date
|
||||
use_age: True
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
{% set DIGITS = "1234567890" %}
|
||||
{% set LOWERCASE = "qwertyuiopasdfghjklzxcvbnm" %}
|
||||
{% set UPPERCASE = "QWERTYUIOPASDFGHJKLZXCVBNM" %}
|
||||
{% set SYMBOLS = "~!@#$^&*()-_=+[]|;:,.<>?" %}
|
||||
{% set SYMBOLS = "~!@#^&*()-_=+[]|;:,.<>?" %}
|
||||
{% set CHARS = DIGITS~LOWERCASE~UPPERCASE~SYMBOLS %}
|
||||
{% set so_elastic_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', salt['random.get_str'](72, chars=CHARS)) %}
|
||||
{% set so_kibana_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass', salt['random.get_str'](72, chars=CHARS)) %}
|
||||
|
||||
1
salt/elasticsearch/base-template.json.jinja
Normal file
1
salt/elasticsearch/base-template.json.jinja
Normal file
@@ -0,0 +1 @@
|
||||
{{ TEMPLATE_CONFIG | tojson(true) }}
|
||||
@@ -10,7 +10,7 @@
|
||||
{% if salt['pillar.get']('nodestab', {}) %}
|
||||
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %}
|
||||
{% if HIGHLANDER %}
|
||||
{% do ESCONFIG.elasticsearch.config.node.roles.append('ml', 'transform') %}
|
||||
{% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %}
|
||||
{% endif %}
|
||||
{% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %}
|
||||
{% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -41,7 +41,7 @@ include:
|
||||
{% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %}
|
||||
{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
|
||||
{% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %}
|
||||
|
||||
{% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS without context %}
|
||||
|
||||
vm.max_map_count:
|
||||
sysctl.present:
|
||||
@@ -152,8 +152,6 @@ estemplatedir:
|
||||
- group: 939
|
||||
- makedirs: True
|
||||
|
||||
|
||||
|
||||
esrolesdir:
|
||||
file.directory:
|
||||
- name: /opt/so/conf/elasticsearch/roles
|
||||
@@ -198,7 +196,26 @@ esyml:
|
||||
ESCONFIG: {{ ESCONFIG }}
|
||||
- template: jinja
|
||||
|
||||
#sync templates to /opt/so/conf/elasticsearch/templates
|
||||
escomponenttemplates:
|
||||
file.recurse:
|
||||
- name: /opt/so/conf/elasticsearch/templates/component
|
||||
- source: salt://elasticsearch/templates/component
|
||||
- user: 930
|
||||
- group: 939
|
||||
|
||||
# Auto-generate templates from defaults file
|
||||
{% for index, settings in ES_INDEX_SETTINGS.items() %}
|
||||
es_index_template_{{index}}:
|
||||
file.managed:
|
||||
- name: /opt/so/conf/elasticsearch/templates/index/{{ index }}-template.json
|
||||
- source: salt://elasticsearch/base-template.json.jinja
|
||||
- defaults:
|
||||
TEMPLATE_CONFIG: {{ settings.index_template }}
|
||||
- template: jinja
|
||||
{% endfor %}
|
||||
|
||||
{% if TEMPLATES %}
|
||||
# Sync custom templates to /opt/so/conf/elasticsearch/templates
|
||||
{% for TEMPLATE in TEMPLATES %}
|
||||
es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
|
||||
file.managed:
|
||||
@@ -212,13 +229,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
|
||||
- user: 930
|
||||
- group: 939
|
||||
{% endfor %}
|
||||
|
||||
escomponenttemplates:
|
||||
file.recurse:
|
||||
- name: /opt/so/conf/elasticsearch/templates/component
|
||||
- source: salt://elasticsearch/templates/component
|
||||
- user: 930
|
||||
- group: 939
|
||||
{% endif %}
|
||||
|
||||
esroles:
|
||||
file.recurse:
|
||||
@@ -380,7 +391,6 @@ so-elasticsearch-pipelines:
|
||||
- docker_container: so-elasticsearch
|
||||
- file: so-elasticsearch-pipelines-script
|
||||
|
||||
{% if TEMPLATES %}
|
||||
so-elasticsearch-templates:
|
||||
cmd.run:
|
||||
- name: /usr/sbin/so-elasticsearch-templates-load
|
||||
@@ -389,7 +399,6 @@ so-elasticsearch-templates:
|
||||
- require:
|
||||
- docker_container: so-elasticsearch
|
||||
- file: es_sync_scripts
|
||||
{% endif %}
|
||||
|
||||
so-elasticsearch-roles-load:
|
||||
cmd.run:
|
||||
|
||||
7
salt/elasticsearch/template.map.jinja
Normal file
7
salt/elasticsearch/template.map.jinja
Normal file
@@ -0,0 +1,7 @@
|
||||
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
|
||||
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %}
|
||||
{% for index, settings in ES_INDEX_SETTINGS.items() %}
|
||||
{% if settings.index_sorting, False %}
|
||||
{% do settings.index_template.template.settings.index.pop('sort') %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
570
salt/elasticsearch/templates/component/ecs/aws.json
Normal file
570
salt/elasticsearch/templates/component/ecs/aws.json
Normal file
@@ -0,0 +1,570 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"aws": {
|
||||
"properties": {
|
||||
"cloudtrail": {
|
||||
"properties": {
|
||||
"additional_eventdata": {
|
||||
"fields": {
|
||||
"text": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"api_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"console_login": {
|
||||
"properties": {
|
||||
"additional_eventdata": {
|
||||
"properties": {
|
||||
"login_to": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mfa_used": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"mobile_version": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"digest": {
|
||||
"properties": {
|
||||
"end_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"log_files": {
|
||||
"type": "nested"
|
||||
},
|
||||
"newest_event_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"oldest_event_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"previous_hash_algorithm": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"previous_s3_bucket": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"public_key_fingerprint": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"s3_bucket": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"s3_object": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"signature_algorithm": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"start_time": {
|
||||
"type": "date"
|
||||
}
|
||||
}
|
||||
},
|
||||
"error_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"error_message": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"flattened": {
|
||||
"properties": {
|
||||
"additional_eventdata": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"request_parameters": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"response_elements": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"service_event_details": {
|
||||
"type": "flattened"
|
||||
}
|
||||
}
|
||||
},
|
||||
"insight_details": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"management_event": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"read_only": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"recipient_account_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"request_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"request_parameters": {
|
||||
"fields": {
|
||||
"text": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"resources": {
|
||||
"properties": {
|
||||
"account_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"arn": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"response_elements": {
|
||||
"fields": {
|
||||
"text": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"service_event_details": {
|
||||
"fields": {
|
||||
"text": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"shared_event_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_identity": {
|
||||
"properties": {
|
||||
"access_key_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"arn": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"invoked_by": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"session_context": {
|
||||
"properties": {
|
||||
"creation_date": {
|
||||
"type": "date"
|
||||
},
|
||||
"mfa_authenticated": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"session_issuer": {
|
||||
"properties": {
|
||||
"account_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"arn": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"principal_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"vpc_endpoint_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"cloudwatch": {
|
||||
"properties": {
|
||||
"message": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ec2": {
|
||||
"properties": {
|
||||
"ip_address": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"elb": {
|
||||
"properties": {
|
||||
"action_executed": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"backend": {
|
||||
"properties": {
|
||||
"http": {
|
||||
"properties": {
|
||||
"response": {
|
||||
"properties": {
|
||||
"status_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"ip": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"port": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"backend_processing_time": {
|
||||
"properties": {
|
||||
"sec": {
|
||||
"type": "float"
|
||||
}
|
||||
}
|
||||
},
|
||||
"chosen_cert": {
|
||||
"properties": {
|
||||
"arn": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"serial": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"classification": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"classification_reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"connection_time": {
|
||||
"properties": {
|
||||
"ms": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"error": {
|
||||
"properties": {
|
||||
"reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"incoming_tls_alert": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"listener": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"matched_rule_priority": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"protocol": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"redirect_url": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"request_processing_time": {
|
||||
"properties": {
|
||||
"sec": {
|
||||
"type": "float"
|
||||
}
|
||||
}
|
||||
},
|
||||
"response_processing_time": {
|
||||
"properties": {
|
||||
"sec": {
|
||||
"type": "float"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ssl_cipher": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ssl_protocol": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"target_group": {
|
||||
"properties": {
|
||||
"arn": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"target_port": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"target_status_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tls_handshake_time": {
|
||||
"properties": {
|
||||
"ms": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tls_named_group": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"trace_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"s3access": {
|
||||
"properties": {
|
||||
"authentication_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"bucket": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"bucket_owner": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"bytes_sent": {
|
||||
"type": "long"
|
||||
},
|
||||
"cipher_suite": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"error_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"host_header": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"host_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"http_status": {
|
||||
"type": "long"
|
||||
},
|
||||
"key": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"object_size": {
|
||||
"type": "long"
|
||||
},
|
||||
"operation": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"referrer": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"remote_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"request_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"request_uri": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"requester": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"signature_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tls_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"total_time": {
|
||||
"type": "long"
|
||||
},
|
||||
"turn_around_time": {
|
||||
"type": "long"
|
||||
},
|
||||
"user_agent": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"vpcflow": {
|
||||
"properties": {
|
||||
"account_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"instance_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"interface_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"log_status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"pkt_dstaddr": {
|
||||
"type": "ip"
|
||||
},
|
||||
"pkt_srcaddr": {
|
||||
"type": "ip"
|
||||
},
|
||||
"subnet_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tcp_flags": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tcp_flags_array": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"vpc_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
604
salt/elasticsearch/templates/component/ecs/azure.json
Normal file
604
salt/elasticsearch/templates/component/ecs/azure.json
Normal file
@@ -0,0 +1,604 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"azure": {
|
||||
"properties": {
|
||||
"activitylogs": {
|
||||
"properties": {
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identity": {
|
||||
"properties": {
|
||||
"authorization": {
|
||||
"properties": {
|
||||
"action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"evidence": {
|
||||
"properties": {
|
||||
"principal_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"principal_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"role": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"role_assignment_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"role_assignment_scope": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"role_definition_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"claims": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"claims_initiated_by_user": {
|
||||
"properties": {
|
||||
"fullname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"givenname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"schema": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"surname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"operation_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"properties": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"result_signature": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"result_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"auditlogs": {
|
||||
"properties": {
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"operation_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"operation_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"properties": {
|
||||
"properties": {
|
||||
"activity_datetime": {
|
||||
"type": "date"
|
||||
},
|
||||
"activity_display_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"correlation_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"initiated_by": {
|
||||
"properties": {
|
||||
"app": {
|
||||
"properties": {
|
||||
"appId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"displayName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"servicePrincipalId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"servicePrincipalName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"user": {
|
||||
"properties": {
|
||||
"displayName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ipAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"userPrincipalName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"logged_by_service": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"operation_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"result": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"result_reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"target_resources": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"properties": {
|
||||
"display_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ip_address": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"modified_properties": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"properties": {
|
||||
"display_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"new_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"old_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_principal_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"result_signature": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tenant_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"consumer_group": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"correlation_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"enqueued_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"eventhub": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"offset": {
|
||||
"type": "long"
|
||||
},
|
||||
"partition_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"platformlogs": {
|
||||
"properties": {
|
||||
"ActivityId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Caller": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Cloud": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Environment": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"EventTimeString": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ScaleUnit": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ccpNamespace": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"operation_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"properties": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"result_signature": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"result_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"resource": {
|
||||
"properties": {
|
||||
"authorization_rule": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"group": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"namespace": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"provider": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"sequence_number": {
|
||||
"type": "long"
|
||||
},
|
||||
"signinlogs": {
|
||||
"properties": {
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"operation_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"operation_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"properties": {
|
||||
"properties": {
|
||||
"app_display_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"app_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"authentication_processing_details": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"authentication_requirement": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"authentication_requirement_policies": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"autonomous_system_number": {
|
||||
"type": "long"
|
||||
},
|
||||
"client_app_used": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"conditional_access_status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"correlation_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"created_at": {
|
||||
"type": "date"
|
||||
},
|
||||
"cross_tenant_access_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"device_detail": {
|
||||
"properties": {
|
||||
"browser": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"device_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"display_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"operating_system": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"trust_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"flagged_for_review": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"home_tenant_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"is_interactive": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"is_tenant_restricted": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"original_request_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"processing_time_ms": {
|
||||
"type": "float"
|
||||
},
|
||||
"resource_display_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"resource_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"resource_tenant_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"risk_detail": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"risk_event_types": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"risk_event_types_v2": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"risk_level_aggregated": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"risk_level_during_signin": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"risk_state": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"service_principal_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"service_principal_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sso_extension_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status": {
|
||||
"properties": {
|
||||
"error_code": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"token_issuer_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"token_issuer_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_display_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_principal_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"result_description": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"result_signature": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"result_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tenant_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"subscription_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tenant_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
772
salt/elasticsearch/templates/component/ecs/cef.json
Normal file
772
salt/elasticsearch/templates/component/ecs/cef.json
Normal file
@@ -0,0 +1,772 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"cef": {
|
||||
"properties": {
|
||||
"device": {
|
||||
"properties": {
|
||||
"event_class_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"product": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"vendor": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"extensions": {
|
||||
"properties": {
|
||||
"Reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"agentDnsDomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentHostName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentMacAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentNtDomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentReceiptTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"agentTimeZone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentTranslatedAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"agentTranslatedZoneExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentTranslatedZoneURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentVersion": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentZoneExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"agentZoneURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"applicationProtocol": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"baseEventCount": {
|
||||
"type": "long"
|
||||
},
|
||||
"bytesIn": {
|
||||
"type": "long"
|
||||
},
|
||||
"bytesOut": {
|
||||
"type": "long"
|
||||
},
|
||||
"categoryBehavior": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"categoryDeviceGroup": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"categoryDeviceType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"categoryObject": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"categoryOutcome": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"categorySignificance": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"categoryTechnique": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cp_app_risk": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cp_severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"customerExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"customerURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"destinationDnsDomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationGeoLatitude": {
|
||||
"type": "double"
|
||||
},
|
||||
"destinationGeoLongitude": {
|
||||
"type": "double"
|
||||
},
|
||||
"destinationHostName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationMacAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationNtDomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationPort": {
|
||||
"type": "long"
|
||||
},
|
||||
"destinationProcessId": {
|
||||
"type": "long"
|
||||
},
|
||||
"destinationProcessName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationServiceName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationTranslatedAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"destinationTranslatedPort": {
|
||||
"type": "long"
|
||||
},
|
||||
"destinationTranslatedZoneExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationTranslatedZoneURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationUserId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationUserName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationUserPrivileges": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationZoneExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destinationZoneURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceAction": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"deviceCustomDate1": {
|
||||
"type": "date"
|
||||
},
|
||||
"deviceCustomDate1Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomDate2": {
|
||||
"type": "date"
|
||||
},
|
||||
"deviceCustomDate2Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomFloatingPoint1": {
|
||||
"type": "double"
|
||||
},
|
||||
"deviceCustomFloatingPoint1Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomFloatingPoint2": {
|
||||
"type": "double"
|
||||
},
|
||||
"deviceCustomFloatingPoint2Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomFloatingPoint3": {
|
||||
"type": "double"
|
||||
},
|
||||
"deviceCustomFloatingPoint3Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomFloatingPoint4": {
|
||||
"type": "double"
|
||||
},
|
||||
"deviceCustomFloatingPoint4Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomIPv6Address1": {
|
||||
"type": "ip"
|
||||
},
|
||||
"deviceCustomIPv6Address1Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomIPv6Address2": {
|
||||
"type": "ip"
|
||||
},
|
||||
"deviceCustomIPv6Address2Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomIPv6Address3": {
|
||||
"type": "ip"
|
||||
},
|
||||
"deviceCustomIPv6Address3Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomIPv6Address4": {
|
||||
"type": "ip"
|
||||
},
|
||||
"deviceCustomIPv6Address4Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomNumber1": {
|
||||
"type": "long"
|
||||
},
|
||||
"deviceCustomNumber1Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomNumber2": {
|
||||
"type": "long"
|
||||
},
|
||||
"deviceCustomNumber2Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomNumber3": {
|
||||
"type": "long"
|
||||
},
|
||||
"deviceCustomNumber3Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString1": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString1Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString2": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString2Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString3": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString3Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString4": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString4Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString5": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString5Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString6": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceCustomString6Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceDirection": {
|
||||
"type": "long"
|
||||
},
|
||||
"deviceDnsDomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceEventCategory": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceExternalId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceFacility": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceFlexNumber1": {
|
||||
"type": "long"
|
||||
},
|
||||
"deviceFlexNumber1Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceFlexNumber2": {
|
||||
"type": "long"
|
||||
},
|
||||
"deviceFlexNumber2Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceHostName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceInboundInterface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceMacAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceNtDomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceOutboundInterface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"devicePayloadId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceProcessId": {
|
||||
"type": "long"
|
||||
},
|
||||
"deviceProcessName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceReceiptTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"deviceTimeZone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceTranslatedAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"deviceTranslatedZoneExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceTranslatedZoneURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceZoneExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceZoneURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"endTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"eventId": {
|
||||
"type": "long"
|
||||
},
|
||||
"eventOutcome": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"externalId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"fileCreateTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"fileHash": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"fileId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"fileModificationTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"filePath": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"filePermission": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"fileSize": {
|
||||
"type": "long"
|
||||
},
|
||||
"fileType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"filename": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"flexDate1": {
|
||||
"type": "date"
|
||||
},
|
||||
"flexDate1Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"flexString1": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"flexString1Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"flexString2": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"flexString2Label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ifname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"inzone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"layer_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"layer_uuid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"logid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"loguid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"managerReceiptTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"match_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"message": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"nat_addtnl_rulenum": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"nat_rulenum": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"oldFileCreateTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"oldFileHash": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"oldFileId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"oldFileModificationTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"oldFileName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"oldFilePath": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"oldFilePermission": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"oldFileSize": {
|
||||
"type": "long"
|
||||
},
|
||||
"oldFileType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"origin": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"originsicname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"outzone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"parent_rule": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"product": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rawEvent": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"requestClientApplication": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"requestContext": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"requestCookies": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"requestMethod": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"requestUrl": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rule_action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rule_uid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sequencenum": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"service_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"sourceDnsDomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceGeoLatitude": {
|
||||
"type": "double"
|
||||
},
|
||||
"sourceGeoLongitude": {
|
||||
"type": "double"
|
||||
},
|
||||
"sourceHostName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceMacAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceNtDomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourcePort": {
|
||||
"type": "long"
|
||||
},
|
||||
"sourceProcessId": {
|
||||
"type": "long"
|
||||
},
|
||||
"sourceProcessName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceServiceName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceTranslatedAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"sourceTranslatedPort": {
|
||||
"type": "long"
|
||||
},
|
||||
"sourceTranslatedZoneExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceTranslatedZoneURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceUserId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceUserName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceUserPrivileges": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceZoneExternalID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceZoneURI": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"startTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"transportProtocol": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"type": "long"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
1615
salt/elasticsearch/templates/component/ecs/checkpoint.json
Normal file
1615
salt/elasticsearch/templates/component/ecs/checkpoint.json
Normal file
File diff suppressed because it is too large
Load Diff
620
salt/elasticsearch/templates/component/ecs/cisco.json
Normal file
620
salt/elasticsearch/templates/component/ecs/cisco.json
Normal file
@@ -0,0 +1,620 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"cisco": {
|
||||
"properties": {
|
||||
"amp": {
|
||||
"properties": {
|
||||
"bp_data": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"cloud_ioc": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"short_description": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"command_line": {
|
||||
"properties": {
|
||||
"arguments": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"computer": {
|
||||
"properties": {
|
||||
"active": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"connector_guid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"external_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"network_addresses": {
|
||||
"type": "flattened"
|
||||
}
|
||||
}
|
||||
},
|
||||
"connector_guid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"detection": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"detection_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"error": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"error_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"event_type_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"file": {
|
||||
"properties": {
|
||||
"archived_file": {
|
||||
"properties": {
|
||||
"disposition": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identity": {
|
||||
"properties": {
|
||||
"md5": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sha1": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sha256": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"attack_details": {
|
||||
"properties": {
|
||||
"application": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"attacked_module": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"base_address": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"indicators": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"suspicious_files": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"disposition": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"parent": {
|
||||
"properties": {
|
||||
"disposition": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"group_guids": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mitre_tactics": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mitre_techniques": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"network_info": {
|
||||
"properties": {
|
||||
"disposition": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"nfm": {
|
||||
"properties": {
|
||||
"direction": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parent": {
|
||||
"properties": {
|
||||
"disposition": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identify": {
|
||||
"properties": {
|
||||
"sha256": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"identity": {
|
||||
"properties": {
|
||||
"md5": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sha1": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"related": {
|
||||
"properties": {
|
||||
"cve": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mac": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scan": {
|
||||
"properties": {
|
||||
"clean": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"description": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"malicious_detections": {
|
||||
"type": "long"
|
||||
},
|
||||
"scanned_files": {
|
||||
"type": "long"
|
||||
},
|
||||
"scanned_paths": {
|
||||
"type": "long"
|
||||
},
|
||||
"scanned_processes": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tactics": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"techniques": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"threat_hunting": {
|
||||
"properties": {
|
||||
"incident_end_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"incident_hunt_guid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"incident_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"incident_remediation": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"incident_report_guid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"incident_start_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"incident_summary": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"incident_title": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tactics": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"techniques": {
|
||||
"type": "flattened"
|
||||
}
|
||||
}
|
||||
},
|
||||
"timestamp_nanoseconds": {
|
||||
"type": "date"
|
||||
},
|
||||
"vulnerabilities": {
|
||||
"type": "flattened"
|
||||
}
|
||||
}
|
||||
},
|
||||
"asa": {
|
||||
"properties": {
|
||||
"assigned_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"burst": {
|
||||
"properties": {
|
||||
"avg_rate": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"configured_avg_rate": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"configured_rate": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cumulative_count": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"current_rate": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"object": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"command_line_arguments": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"connection_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"connection_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dap_records": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destination_interface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destination_username": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"icmp_code": {
|
||||
"type": "short"
|
||||
},
|
||||
"icmp_type": {
|
||||
"type": "short"
|
||||
},
|
||||
"mapped_destination_host": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mapped_destination_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"mapped_destination_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"mapped_source_host": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mapped_source_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"mapped_source_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"message_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"privilege": {
|
||||
"properties": {
|
||||
"new": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"old": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"rule_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"session_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_interface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_username": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"suffix": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"termination_initiator": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"termination_user": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threat_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threat_level": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tunnel_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"webvpn": {
|
||||
"properties": {
|
||||
"group_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"ftd": {
|
||||
"properties": {
|
||||
"connection_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"connection_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dap_records": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destination_interface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destination_username": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"icmp_code": {
|
||||
"type": "short"
|
||||
},
|
||||
"icmp_type": {
|
||||
"type": "short"
|
||||
},
|
||||
"mapped_destination_host": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mapped_destination_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"mapped_destination_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"mapped_source_host": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mapped_source_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"mapped_source_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"message_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rule_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"security": {
|
||||
"type": "object"
|
||||
},
|
||||
"source_interface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_username": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"suffix": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"termination_initiator": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"termination_user": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threat_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threat_level": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"webvpn": {
|
||||
"properties": {
|
||||
"group_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"ios": {
|
||||
"properties": {
|
||||
"access_list": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"facility": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"umbrella": {
|
||||
"properties": {
|
||||
"amp_disposition": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"amp_malware_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"amp_score": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"av_detections": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"blocked_categories": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"categories": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"content_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"datacenter": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identities": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identity_types": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"origin_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"policy_identity_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"puas": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sha_sha256": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
305
salt/elasticsearch/templates/component/ecs/cyberark.json
Normal file
305
salt/elasticsearch/templates/component/ecs/cyberark.json
Normal file
@@ -0,0 +1,305 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"cyberarkpas": {
|
||||
"properties": {
|
||||
"audit": {
|
||||
"properties": {
|
||||
"action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ca_properties": {
|
||||
"properties": {
|
||||
"address": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cpm_disabled": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cpm_error_details": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cpm_status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"creation_method": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"customer": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"database": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"device_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dual_account_status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"group_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"in_process": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"index": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"last_fail_date": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"last_success_change": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"last_success_reconciliation": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"last_success_verification": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"last_task": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"logon_domain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"other": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"policy_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"port": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"privcloud": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"reset_immediately": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"retries_count": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sequence_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tags": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_dn": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"virtual_username": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"desc": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"extra_details": {
|
||||
"properties": {
|
||||
"ad_process_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ad_process_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"command": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"connection_component_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dst_host": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"logon_account": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"managed_account": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"other": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"process_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"process_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"protocol": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"psmid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"session_duration": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"session_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"src_host": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"username": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"file": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"gateway_station": {
|
||||
"type": "ip"
|
||||
},
|
||||
"hostname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"iso_timestamp": {
|
||||
"type": "date"
|
||||
},
|
||||
"issuer": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"location": {
|
||||
"doc_values": false,
|
||||
"ignore_above": 4096,
|
||||
"index": false,
|
||||
"type": "keyword"
|
||||
},
|
||||
"message": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"message_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"product": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"pvwa_details": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"raw": {
|
||||
"doc_values": false,
|
||||
"ignore_above": 4096,
|
||||
"index": false,
|
||||
"type": "keyword"
|
||||
},
|
||||
"reason": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"rfc5424": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"safe": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_user": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"station": {
|
||||
"type": "ip"
|
||||
},
|
||||
"target_user": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"timestamp": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"vendor": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"@timestamp": {
|
||||
"type": "date"
|
||||
},
|
||||
"labels": {
|
||||
"type": "object"
|
||||
},
|
||||
"message": {
|
||||
"type": "match_only_text"
|
||||
},
|
||||
"tags": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
1627
salt/elasticsearch/templates/component/ecs/fortinet.json
Normal file
1627
salt/elasticsearch/templates/component/ecs/fortinet.json
Normal file
File diff suppressed because it is too large
Load Diff
267
salt/elasticsearch/templates/component/ecs/gcp.json
Normal file
267
salt/elasticsearch/templates/component/ecs/gcp.json
Normal file
@@ -0,0 +1,267 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"gcp": {
|
||||
"properties": {
|
||||
"audit": {
|
||||
"properties": {
|
||||
"authentication_info": {
|
||||
"properties": {
|
||||
"authority_selector": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"principal_email": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"method_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"num_response_items": {
|
||||
"type": "long"
|
||||
},
|
||||
"request": {
|
||||
"properties": {
|
||||
"filter": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"proto_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"resource_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"request_metadata": {
|
||||
"properties": {
|
||||
"caller_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"caller_supplied_user_agent": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"resource_location": {
|
||||
"properties": {
|
||||
"current_locations": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"resource_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"response": {
|
||||
"properties": {
|
||||
"details": {
|
||||
"properties": {
|
||||
"group": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"kind": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"uid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"proto_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"service_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status": {
|
||||
"properties": {
|
||||
"code": {
|
||||
"type": "long"
|
||||
},
|
||||
"message": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"destination": {
|
||||
"properties": {
|
||||
"instance": {
|
||||
"properties": {
|
||||
"project_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"region": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"zone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"vpc": {
|
||||
"properties": {
|
||||
"project_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"subnetwork_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"vpc_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"firewall": {
|
||||
"properties": {
|
||||
"rule_details": {
|
||||
"properties": {
|
||||
"action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destination_range": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"direction": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"priority": {
|
||||
"type": "long"
|
||||
},
|
||||
"reference": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_range": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_service_account": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_tag": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"target_service_account": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"target_tag": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"source": {
|
||||
"properties": {
|
||||
"instance": {
|
||||
"properties": {
|
||||
"project_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"region": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"zone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"vpc": {
|
||||
"properties": {
|
||||
"project_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"subnetwork_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"vpc_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"vpcflow": {
|
||||
"properties": {
|
||||
"reporter": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rtt": {
|
||||
"properties": {
|
||||
"ms": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
750
salt/elasticsearch/templates/component/ecs/google_workspace.json
Normal file
750
salt/elasticsearch/templates/component/ecs/google_workspace.json
Normal file
@@ -0,0 +1,750 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"google_workspace": {
|
||||
"properties": {
|
||||
"actor": {
|
||||
"properties": {
|
||||
"key": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"admin": {
|
||||
"properties": {
|
||||
"alert": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"api": {
|
||||
"properties": {
|
||||
"client": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"scopes": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"application": {
|
||||
"properties": {
|
||||
"asp_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"edition": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"enabled": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"licences_order_number": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"licences_purchased": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"package_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"bulk_upload": {
|
||||
"properties": {
|
||||
"failed": {
|
||||
"type": "long"
|
||||
},
|
||||
"total": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"chrome_licenses": {
|
||||
"properties": {
|
||||
"allowed": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"enabled": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"chrome_os": {
|
||||
"properties": {
|
||||
"session_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"device": {
|
||||
"properties": {
|
||||
"command_details": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"serial_number": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"distribution": {
|
||||
"properties": {
|
||||
"entity": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"domain": {
|
||||
"properties": {
|
||||
"alias": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"secondary_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"email": {
|
||||
"properties": {
|
||||
"log_search_filter": {
|
||||
"properties": {
|
||||
"end_date": {
|
||||
"type": "date"
|
||||
},
|
||||
"message_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"recipient": {
|
||||
"properties": {
|
||||
"ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"sender": {
|
||||
"properties": {
|
||||
"ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"start_date": {
|
||||
"type": "date"
|
||||
}
|
||||
}
|
||||
},
|
||||
"quarantine_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"email_dump": {
|
||||
"properties": {
|
||||
"include_deleted": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"package_content": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"query": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"email_monitor": {
|
||||
"properties": {
|
||||
"dest_email": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"level": {
|
||||
"properties": {
|
||||
"chat": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"draft": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"incoming": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"outgoing": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"field": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"gateway": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"group": {
|
||||
"properties": {
|
||||
"allowed_list": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"email": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"priorities": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"info_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"managed_configuration": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mdm": {
|
||||
"properties": {
|
||||
"token": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"vendor": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"mobile": {
|
||||
"properties": {
|
||||
"action": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"certificate": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"company_owned_devices": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"new_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"non_featured_services_selection": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"oauth2": {
|
||||
"properties": {
|
||||
"application": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"service": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"old_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"org_unit": {
|
||||
"properties": {
|
||||
"full": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"print_server": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"printer": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"privilege": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"product": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sku": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"request": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"resource": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"role": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"rule": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"service": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"setting": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"url": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"user": {
|
||||
"properties": {
|
||||
"birthdate": {
|
||||
"type": "date"
|
||||
},
|
||||
"email": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"nickname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"user_defined_setting": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"verification_method": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"drive": {
|
||||
"properties": {
|
||||
"added_role": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"billable": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"destination_folder_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"destination_folder_title": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"file": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"owner": {
|
||||
"properties": {
|
||||
"email": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"is_shared_drive": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"membership_change_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"new_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"old_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"old_visibility": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"originating_app_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"primary_event": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"removed_role": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"shared_drive_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"shared_drive_settings_change_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sheets_import_range_recipient_doc": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_folder_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source_folder_title": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"target": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"target_domain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"visibility": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"visibility_change": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"event": {
|
||||
"properties": {
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"groups": {
|
||||
"properties": {
|
||||
"acl_permission": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"email": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"member": {
|
||||
"properties": {
|
||||
"email": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"role": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"message": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"moderation_action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"new_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"old_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"setting": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"kind": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"login": {
|
||||
"properties": {
|
||||
"affected_email_address": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"challenge_method": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"failure_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"is_second_factor": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"is_suspicious": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"organization": {
|
||||
"properties": {
|
||||
"domain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"saml": {
|
||||
"properties": {
|
||||
"application_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"failure_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"initiated_by": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"orgunit_path": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"second_level_status_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
378
salt/elasticsearch/templates/component/ecs/juniper.json
Normal file
378
salt/elasticsearch/templates/component/ecs/juniper.json
Normal file
@@ -0,0 +1,378 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"juniper": {
|
||||
"properties": {
|
||||
"srx": {
|
||||
"properties": {
|
||||
"action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"action_detail": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"alert": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"apbr_rule_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_characteristics": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_sub_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"attack_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"client_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"connection_hit_rate": {
|
||||
"type": "long"
|
||||
},
|
||||
"connection_tag": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"context_hit_rate": {
|
||||
"type": "long"
|
||||
},
|
||||
"context_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"context_value": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"context_value_hit_rate": {
|
||||
"type": "long"
|
||||
},
|
||||
"ddos_application_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dscp_value": {
|
||||
"type": "long"
|
||||
},
|
||||
"dst_nat_rule_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dst_nat_rule_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dst_vrf_grp": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"elapsed_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"encrypted": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"epoch_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"error_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"error_message": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"export_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"feed_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"file_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"file_hash_lookup": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"file_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"filename": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"hostname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"icmp_type": {
|
||||
"type": "long"
|
||||
},
|
||||
"inbound_bytes": {
|
||||
"type": "long"
|
||||
},
|
||||
"inbound_packets": {
|
||||
"type": "long"
|
||||
},
|
||||
"index": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"logical_system_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"malware_info": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"message": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"message_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"nat_connection_tag": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"nested_application": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"obj": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"occur_count": {
|
||||
"type": "long"
|
||||
},
|
||||
"outbound_bytes": {
|
||||
"type": "long"
|
||||
},
|
||||
"outbound_packets": {
|
||||
"type": "long"
|
||||
},
|
||||
"packet_log_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"peer_destination_address": {
|
||||
"type": "ip"
|
||||
},
|
||||
"peer_destination_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"peer_session_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"peer_source_address": {
|
||||
"type": "ip"
|
||||
},
|
||||
"peer_source_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"policy_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"process": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"profile": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"profile_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"protocol": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"protocol_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"protocol_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"repeat_count": {
|
||||
"type": "long"
|
||||
},
|
||||
"roles": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"routing_instance": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rule_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ruleebase_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sample_sha256": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"secure_web_proxy_session_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"service_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"session_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"session_id_32": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"src_nat_rule_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"src_nat_rule_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"src_vrf_grp": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"state": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sub_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tag": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"temporary_filename": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tenant_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"th": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threat_severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"time_count": {
|
||||
"type": "long"
|
||||
},
|
||||
"time_period": {
|
||||
"type": "long"
|
||||
},
|
||||
"time_scope": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"timestamp": {
|
||||
"type": "date"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"uplink_rx_bytes": {
|
||||
"type": "long"
|
||||
},
|
||||
"uplink_tx_bytes": {
|
||||
"type": "long"
|
||||
},
|
||||
"url": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"username": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"verdict_number": {
|
||||
"type": "long"
|
||||
},
|
||||
"verdict_source": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
75
salt/elasticsearch/templates/component/ecs/kibana.json
Normal file
75
salt/elasticsearch/templates/component/ecs/kibana.json
Normal file
@@ -0,0 +1,75 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"kibana": {
|
||||
"properties": {
|
||||
"add_to_spaces": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"authentication_provider": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"authentication_realm": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"authentication_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"delete_from_spaces": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"log": {
|
||||
"properties": {
|
||||
"meta": {
|
||||
"type": "object"
|
||||
},
|
||||
"state": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tags": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"lookup_realm": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"saved_object": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"session_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"space_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
99
salt/elasticsearch/templates/component/ecs/logstash.json
Normal file
99
salt/elasticsearch/templates/component/ecs/logstash.json
Normal file
@@ -0,0 +1,99 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"logstash": {
|
||||
"properties": {
|
||||
"log": {
|
||||
"properties": {
|
||||
"log_event": {
|
||||
"properties": {
|
||||
"action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"module": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"pipeline_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"thread": {
|
||||
"fields": {
|
||||
"text": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"slowlog": {
|
||||
"properties": {
|
||||
"event": {
|
||||
"fields": {
|
||||
"text": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"module": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"plugin_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"plugin_params": {
|
||||
"fields": {
|
||||
"text": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"plugin_params_object": {
|
||||
"type": "object"
|
||||
},
|
||||
"plugin_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"thread": {
|
||||
"fields": {
|
||||
"text": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
},
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"took_in_millis": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
265
salt/elasticsearch/templates/component/ecs/microsoft.json
Normal file
265
salt/elasticsearch/templates/component/ecs/microsoft.json
Normal file
@@ -0,0 +1,265 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"microsoft": {
|
||||
"properties": {
|
||||
"defender_atp": {
|
||||
"properties": {
|
||||
"assignedTo": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"classification": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"determination": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"evidence": {
|
||||
"properties": {
|
||||
"aadUserId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"accountName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"domainName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"entityType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ipAddress": {
|
||||
"type": "ip"
|
||||
},
|
||||
"userPrincipalName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"incidentId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"investigationId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"investigationState": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"lastUpdateTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"rbacGroupName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"resolvedTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threatFamilyName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"m365_defender": {
|
||||
"properties": {
|
||||
"alerts": {
|
||||
"properties": {
|
||||
"actorName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"assignedTo": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"classification": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"creationTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"detectionSource": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"determination": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"devices": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"entities": {
|
||||
"properties": {
|
||||
"accountName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"clusterBy": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deliveryAction": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deviceId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"entityType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ipAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mailboxAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mailboxDisplayName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"recipient": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"registryHive": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"registryKey": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"registryValueType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"securityGroupId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"securityGroupName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sender": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"subject": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"incidentId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"investigationId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"investigationState": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"lastUpdatedTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"mitreTechniques": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"resolvedTime": {
|
||||
"type": "date"
|
||||
},
|
||||
"severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threatFamilyName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"userSid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"assignedTo": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"classification": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"determination": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"incidentId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"incidentName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"investigationState": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"redirectIncidentId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tags": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
425
salt/elasticsearch/templates/component/ecs/misp.json
Normal file
425
salt/elasticsearch/templates/component/ecs/misp.json
Normal file
@@ -0,0 +1,425 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"misp": {
|
||||
"properties": {
|
||||
"attack_pattern": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"kill_chain_phases": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"campaign": {
|
||||
"properties": {
|
||||
"aliases": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"first_seen": {
|
||||
"type": "date"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"last_seen": {
|
||||
"type": "date"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"objective": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"course_of_action": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"identity": {
|
||||
"properties": {
|
||||
"contact_information": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identity_class": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"labels": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sectors": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"intrusion_set": {
|
||||
"properties": {
|
||||
"aliases": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"first_seen": {
|
||||
"type": "date"
|
||||
},
|
||||
"goals": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"last_seen": {
|
||||
"type": "date"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"primary_motivation": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"resource_level": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"secondary_motivations": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
}
|
||||
},
|
||||
"malware": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"kill_chain_phases": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"labels": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"note": {
|
||||
"properties": {
|
||||
"authors": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"object_refs": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"summary": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"observed_data": {
|
||||
"properties": {
|
||||
"first_observed": {
|
||||
"type": "date"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"last_observed": {
|
||||
"type": "date"
|
||||
},
|
||||
"number_observed": {
|
||||
"type": "long"
|
||||
},
|
||||
"objects": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"report": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"labels": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"object_refs": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"published": {
|
||||
"type": "date"
|
||||
}
|
||||
}
|
||||
},
|
||||
"threat_actor": {
|
||||
"properties": {
|
||||
"aliases": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"goals": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"labels": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"personal_motivations": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"primary_motivation": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"resource_level": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"roles": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"secondary_motivations": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"sophistication": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
}
|
||||
}
|
||||
},
|
||||
"threat_indicator": {
|
||||
"properties": {
|
||||
"attack_pattern": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"attack_pattern_kql": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"campaign": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"confidence": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"feed": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"intrusion_set": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"kill_chain_phases": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"labels": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mitre_tactic": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mitre_technique": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"negate": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threat_actor": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"valid_from": {
|
||||
"type": "date"
|
||||
},
|
||||
"valid_until": {
|
||||
"type": "date"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tool": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"kill_chain_phases": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"labels": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tool_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"vulnerability": {
|
||||
"properties": {
|
||||
"description": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
1423
salt/elasticsearch/templates/component/ecs/netflow.json
Normal file
1423
salt/elasticsearch/templates/component/ecs/netflow.json
Normal file
File diff suppressed because it is too large
Load Diff
445
salt/elasticsearch/templates/component/ecs/o365.json
Normal file
445
salt/elasticsearch/templates/component/ecs/o365.json
Normal file
@@ -0,0 +1,445 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"o365": {
|
||||
"properties": {
|
||||
"audit": {
|
||||
"properties": {
|
||||
"AADGroupId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ActorContextId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ActorIpAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ActorUserId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ActorYammerUserId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"AlertEntityId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"AlertId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"AlertType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"AppId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ApplicationDisplayName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ApplicationId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"AzureActiveDirectoryEventType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ClientAppId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ClientIP": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ClientIPAddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ClientInfoString": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Comments": {
|
||||
"norms": false,
|
||||
"type": "text"
|
||||
},
|
||||
"CommunicationType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"CorrelationId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"CreationTime": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"CustomUniqueId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Data": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"DataType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"DoNotDistributeEvent": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"EntityType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ErrorNumber": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"EventData": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"EventSource": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ExceptionInfo": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ExchangeMetaData": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ExtendedProperties": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ExternalAccess": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"FromApp": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"GroupName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ImplicitShare": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"IncidentId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"InterSystemsId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"InternalLogonType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"IntraSystemId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"IsDocLib": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"Item": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ItemCount": {
|
||||
"type": "long"
|
||||
},
|
||||
"ItemName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ItemType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ListBaseTemplateType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ListBaseType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ListColor": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ListIcon": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ListId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ListItemUniqueId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ListTitle": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"LogonError": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"LogonType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"LogonUserSid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"MailboxGuid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"MailboxOwnerMasterAccountSid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"MailboxOwnerSid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"MailboxOwnerUPN": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Members": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ModifiedProperties": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"Name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ObjectId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Operation": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"OrganizationId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"OrganizationName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"OriginatingServer": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Parameters": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"PolicyId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"RecordType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ResultStatus": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"SensitiveInfoDetectionIsIncluded": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"SessionId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"SharePointMetaData": {
|
||||
"properties": {
|
||||
"*": {
|
||||
"type": "object"
|
||||
}
|
||||
}
|
||||
},
|
||||
"Site": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"SiteUrl": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Source": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"SourceFileExtension": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"SourceFileName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"SourceRelativeUrl": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"SupportTicketId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"TargetContextId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"TargetUserOrGroupName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"TargetUserOrGroupType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"TeamGuid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"TeamName": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"TemplateTypeId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"UniqueSharingId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"UserAgent": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"UserId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"UserKey": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"UserType": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"WebId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Workload": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"YammerNetworkId": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
293
salt/elasticsearch/templates/component/ecs/okta.json
Normal file
293
salt/elasticsearch/templates/component/ecs/okta.json
Normal file
@@ -0,0 +1,293 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"okta": {
|
||||
"properties": {
|
||||
"actor": {
|
||||
"properties": {
|
||||
"alternate_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"display_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"authentication_context": {
|
||||
"properties": {
|
||||
"authentication_provider": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"authentication_step": {
|
||||
"type": "long"
|
||||
},
|
||||
"credential_provider": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"credential_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"external_session_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"interface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"client": {
|
||||
"properties": {
|
||||
"device": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"user_agent": {
|
||||
"properties": {
|
||||
"browser": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"os": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"raw_user_agent": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"zone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"debug_context": {
|
||||
"properties": {
|
||||
"debug_data": {
|
||||
"properties": {
|
||||
"device_fingerprint": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"request_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"request_uri": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"suspicious_activity": {
|
||||
"properties": {
|
||||
"browser": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_city": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_country": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"event_latitude": {
|
||||
"type": "float"
|
||||
},
|
||||
"event_longitude": {
|
||||
"type": "float"
|
||||
},
|
||||
"event_state": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_transaction_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"os": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"timestamp": {
|
||||
"type": "date"
|
||||
}
|
||||
}
|
||||
},
|
||||
"threat_suspected": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"url": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"display_message": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"event_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"outcome": {
|
||||
"properties": {
|
||||
"reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"result": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"request": {
|
||||
"properties": {
|
||||
"ip_chain": {
|
||||
"properties": {
|
||||
"geographical_context": {
|
||||
"properties": {
|
||||
"city": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"country": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"geolocation": {
|
||||
"type": "geo_point"
|
||||
},
|
||||
"postal_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"state": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"source": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"security_context": {
|
||||
"properties": {
|
||||
"as": {
|
||||
"properties": {
|
||||
"number": {
|
||||
"type": "long"
|
||||
},
|
||||
"organization": {
|
||||
"properties": {
|
||||
"name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"domain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"is_proxy": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"isp": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"target": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"transaction": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"uuid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
50
salt/elasticsearch/templates/component/ecs/redis.json
Normal file
50
salt/elasticsearch/templates/component/ecs/redis.json
Normal file
@@ -0,0 +1,50 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"redis": {
|
||||
"properties": {
|
||||
"log": {
|
||||
"properties": {
|
||||
"role": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"slowlog": {
|
||||
"properties": {
|
||||
"args": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cmd": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"duration": {
|
||||
"properties": {
|
||||
"us": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"id": {
|
||||
"type": "long"
|
||||
},
|
||||
"key": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
149
salt/elasticsearch/templates/component/ecs/snyk.json
Normal file
149
salt/elasticsearch/templates/component/ecs/snyk.json
Normal file
@@ -0,0 +1,149 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"snyk": {
|
||||
"properties": {
|
||||
"audit": {
|
||||
"properties": {
|
||||
"content": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"org_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"project_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"projects": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"related": {
|
||||
"properties": {
|
||||
"projects": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"vulnerabilities": {
|
||||
"properties": {
|
||||
"credit": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cvss3": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"disclosure_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"exploit_maturity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"identifiers": {
|
||||
"properties": {
|
||||
"alternative": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cwe": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"introduced_date": {
|
||||
"type": "date"
|
||||
},
|
||||
"is_fixed": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"is_ignored": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"is_patchable": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"is_patched": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"is_pinnable": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"is_upgradable": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"jira_issue_url": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"language": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"original_severity": {
|
||||
"type": "long"
|
||||
},
|
||||
"package": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"package_manager": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"patches": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"priority_score": {
|
||||
"type": "long"
|
||||
},
|
||||
"publication_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"reachability": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"semver": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"title": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"unique_severities_list": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
722
salt/elasticsearch/templates/component/ecs/sophos.json
Normal file
722
salt/elasticsearch/templates/component/ecs/sophos.json
Normal file
@@ -0,0 +1,722 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"sophos": {
|
||||
"properties": {
|
||||
"xg": {
|
||||
"properties": {
|
||||
"Configuration": {
|
||||
"type": "float"
|
||||
},
|
||||
"Mode": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"PHPSESSID": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Reports": {
|
||||
"type": "float"
|
||||
},
|
||||
"Signature": {
|
||||
"type": "float"
|
||||
},
|
||||
"SysLog_SERVER_NAME": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"Temp": {
|
||||
"type": "float"
|
||||
},
|
||||
"action": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"activityname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ap": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"app_is_cloud": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"appfilter_policy_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"application": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_filter_policy": {
|
||||
"type": "long"
|
||||
},
|
||||
"application_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_risk": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"application_technology": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"appresolvedby": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"auth_client": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"auth_mechanism": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"av_policy_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"backup_mode": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"branch_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"category_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"classification": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"client_host_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"client_physical_address": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"clients_conn_ssid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"collisions": {
|
||||
"type": "long"
|
||||
},
|
||||
"con_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"conn_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"connectionname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"connectiontype": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"connevent": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"connid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"contenttype": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"context_match": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"context_prefix": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"context_suffix": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cookie": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"date": {
|
||||
"type": "date"
|
||||
},
|
||||
"destinationip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"device": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"device_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"device_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dictionary_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dir_disp": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"direction": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"domainname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"download_file_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"download_file_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dst_country_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dst_domainname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dst_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"dst_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"dstdomain": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dstzone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dstzonetype": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"duration": {
|
||||
"type": "long"
|
||||
},
|
||||
"email_subject": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ep_uuid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"eventid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"eventtime": {
|
||||
"type": "date"
|
||||
},
|
||||
"eventtype": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"exceptions": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"execution_path": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"extra": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"file_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"file_path": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"file_size": {
|
||||
"type": "long"
|
||||
},
|
||||
"filename": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"filepath": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"filesize": {
|
||||
"type": "long"
|
||||
},
|
||||
"free": {
|
||||
"type": "long"
|
||||
},
|
||||
"from_email_address": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ftp_direction": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ftp_url": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ftpcommand": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"fw_rule_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"hb_health": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"host": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"httpresponsecode": {
|
||||
"type": "long"
|
||||
},
|
||||
"iap": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"icmp_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"icmp_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"idle_cpu": {
|
||||
"type": "float"
|
||||
},
|
||||
"idp_policy_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"idp_policy_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"in_interface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"interface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ipaddress": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ips_policy_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"localgateway": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"localnetwork": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"log_component": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"log_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"log_subtype": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"log_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"login_user": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mailid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mailsize": {
|
||||
"type": "long"
|
||||
},
|
||||
"message": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"message_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"newversion": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"oldversion": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"out_interface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"override_authorizer": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"override_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"override_token": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"platform": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"policy_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"priority": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"protocol": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"quarantine": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"quarantine_reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"querystring": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"raw_data": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"received_pkts": {
|
||||
"type": "long"
|
||||
},
|
||||
"receiveddrops": {
|
||||
"type": "long"
|
||||
},
|
||||
"receivederrors": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"receivedkbits": {
|
||||
"type": "long"
|
||||
},
|
||||
"recv_bytes": {
|
||||
"type": "long"
|
||||
},
|
||||
"red_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"referer": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"remote_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"remotenetwork": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"responsetime": {
|
||||
"type": "long"
|
||||
},
|
||||
"rule_priority": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sent_bytes": {
|
||||
"type": "long"
|
||||
},
|
||||
"sent_pkts": {
|
||||
"type": "long"
|
||||
},
|
||||
"server": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sessionid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sha1sum": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"signature_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"signature_msg": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"site_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"source": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sourceip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"spamaction": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sqli": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"src_country_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"src_domainname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"src_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"src_mac": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"src_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"srczone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"srczonetype": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ssid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"start_time": {
|
||||
"type": "date"
|
||||
},
|
||||
"starttime": {
|
||||
"type": "date"
|
||||
},
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"status_code": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"subject": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"system_cpu": {
|
||||
"type": "float"
|
||||
},
|
||||
"target": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"threatname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"timestamp": {
|
||||
"type": "date"
|
||||
},
|
||||
"timezone": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"to_email_address": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"total_memory": {
|
||||
"type": "long"
|
||||
},
|
||||
"trans_dst_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"trans_dst_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"trans_src_ip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"trans_src_port": {
|
||||
"type": "long"
|
||||
},
|
||||
"transaction_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"transactionid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"transmitteddrops": {
|
||||
"type": "long"
|
||||
},
|
||||
"transmittederrors": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"transmittedkbits": {
|
||||
"type": "long"
|
||||
},
|
||||
"unit": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"updatedip": {
|
||||
"type": "ip"
|
||||
},
|
||||
"upload_file_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"upload_file_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"url": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"used": {
|
||||
"type": "long"
|
||||
},
|
||||
"user": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_cpu": {
|
||||
"type": "float"
|
||||
},
|
||||
"user_gp": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_group": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"user_name": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"users": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"vconn_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"virus": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"website": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"xss": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
850
salt/elasticsearch/templates/component/ecs/suricata.json
Normal file
850
salt/elasticsearch/templates/component/ecs/suricata.json
Normal file
@@ -0,0 +1,850 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"suricata": {
|
||||
"properties": {
|
||||
"eve": {
|
||||
"properties": {
|
||||
"alert": {
|
||||
"properties": {
|
||||
"affected_product": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"attack_target": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"capec_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"classtype": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"created_at": {
|
||||
"type": "date"
|
||||
},
|
||||
"cve": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cvss_v2_base": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cvss_v2_temporal": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cvss_v3_base": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cvss_v3_temporal": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"cwe_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"deployment": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"former_category": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"gid": {
|
||||
"type": "long"
|
||||
},
|
||||
"hostile": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"infected": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"malware": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"metadata": {
|
||||
"type": "flattened"
|
||||
},
|
||||
"mitre_tool_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"performance_impact": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"priority": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"protocols": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rev": {
|
||||
"type": "long"
|
||||
},
|
||||
"rule_source": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sid": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"signature": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"signature_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"signature_severity": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tag": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"updated_at": {
|
||||
"type": "date"
|
||||
}
|
||||
}
|
||||
},
|
||||
"app_proto_expected": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"app_proto_orig": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"app_proto_tc": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"app_proto_ts": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"dns": {
|
||||
"properties": {
|
||||
"id": {
|
||||
"type": "long"
|
||||
},
|
||||
"rcode": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rdata": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rrname": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rrtype": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ttl": {
|
||||
"type": "long"
|
||||
},
|
||||
"tx_id": {
|
||||
"type": "long"
|
||||
},
|
||||
"type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"email": {
|
||||
"properties": {
|
||||
"status": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"event_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"fileinfo": {
|
||||
"properties": {
|
||||
"gaps": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"md5": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sha1": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"sha256": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"state": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"stored": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"tx_id": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"flow": {
|
||||
"properties": {
|
||||
"age": {
|
||||
"type": "long"
|
||||
},
|
||||
"alerted": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"reason": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"state": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"flow_id": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"http": {
|
||||
"properties": {
|
||||
"http_content_type": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"protocol": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"redirect": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"icmp_code": {
|
||||
"type": "long"
|
||||
},
|
||||
"icmp_type": {
|
||||
"type": "long"
|
||||
},
|
||||
"in_iface": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"pcap_cnt": {
|
||||
"type": "long"
|
||||
},
|
||||
"smtp": {
|
||||
"properties": {
|
||||
"helo": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"mail_from": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"rcpt_to": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ssh": {
|
||||
"properties": {
|
||||
"client": {
|
||||
"properties": {
|
||||
"proto_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"software_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"server": {
|
||||
"properties": {
|
||||
"proto_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"software_version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"stats": {
|
||||
"properties": {
|
||||
"app_layer": {
|
||||
"properties": {
|
||||
"flow": {
|
||||
"properties": {
|
||||
"dcerpc_tcp": {
|
||||
"type": "long"
|
||||
},
|
||||
"dcerpc_udp": {
|
||||
"type": "long"
|
||||
},
|
||||
"dns_tcp": {
|
||||
"type": "long"
|
||||
},
|
||||
"dns_udp": {
|
||||
"type": "long"
|
||||
},
|
||||
"failed_tcp": {
|
||||
"type": "long"
|
||||
},
|
||||
"failed_udp": {
|
||||
"type": "long"
|
||||
},
|
||||
"ftp": {
|
||||
"type": "long"
|
||||
},
|
||||
"http": {
|
||||
"type": "long"
|
||||
},
|
||||
"imap": {
|
||||
"type": "long"
|
||||
},
|
||||
"msn": {
|
||||
"type": "long"
|
||||
},
|
||||
"smb": {
|
||||
"type": "long"
|
||||
},
|
||||
"smtp": {
|
||||
"type": "long"
|
||||
},
|
||||
"ssh": {
|
||||
"type": "long"
|
||||
},
|
||||
"tls": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tx": {
|
||||
"properties": {
|
||||
"dcerpc_tcp": {
|
||||
"type": "long"
|
||||
},
|
||||
"dcerpc_udp": {
|
||||
"type": "long"
|
||||
},
|
||||
"dns_tcp": {
|
||||
"type": "long"
|
||||
},
|
||||
"dns_udp": {
|
||||
"type": "long"
|
||||
},
|
||||
"ftp": {
|
||||
"type": "long"
|
||||
},
|
||||
"http": {
|
||||
"type": "long"
|
||||
},
|
||||
"smb": {
|
||||
"type": "long"
|
||||
},
|
||||
"smtp": {
|
||||
"type": "long"
|
||||
},
|
||||
"ssh": {
|
||||
"type": "long"
|
||||
},
|
||||
"tls": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"capture": {
|
||||
"properties": {
|
||||
"kernel_drops": {
|
||||
"type": "long"
|
||||
},
|
||||
"kernel_ifdrops": {
|
||||
"type": "long"
|
||||
},
|
||||
"kernel_packets": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"decoder": {
|
||||
"properties": {
|
||||
"avg_pkt_size": {
|
||||
"type": "long"
|
||||
},
|
||||
"bytes": {
|
||||
"type": "long"
|
||||
},
|
||||
"dce": {
|
||||
"properties": {
|
||||
"pkt_too_small": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"erspan": {
|
||||
"type": "long"
|
||||
},
|
||||
"ethernet": {
|
||||
"type": "long"
|
||||
},
|
||||
"gre": {
|
||||
"type": "long"
|
||||
},
|
||||
"icmpv4": {
|
||||
"type": "long"
|
||||
},
|
||||
"icmpv6": {
|
||||
"type": "long"
|
||||
},
|
||||
"ieee8021ah": {
|
||||
"type": "long"
|
||||
},
|
||||
"invalid": {
|
||||
"type": "long"
|
||||
},
|
||||
"ipraw": {
|
||||
"properties": {
|
||||
"invalid_ip_version": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ipv4": {
|
||||
"type": "long"
|
||||
},
|
||||
"ipv4_in_ipv6": {
|
||||
"type": "long"
|
||||
},
|
||||
"ipv6": {
|
||||
"type": "long"
|
||||
},
|
||||
"ipv6_in_ipv6": {
|
||||
"type": "long"
|
||||
},
|
||||
"ltnull": {
|
||||
"properties": {
|
||||
"pkt_too_small": {
|
||||
"type": "long"
|
||||
},
|
||||
"unsupported_type": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"max_pkt_size": {
|
||||
"type": "long"
|
||||
},
|
||||
"mpls": {
|
||||
"type": "long"
|
||||
},
|
||||
"null": {
|
||||
"type": "long"
|
||||
},
|
||||
"pkts": {
|
||||
"type": "long"
|
||||
},
|
||||
"ppp": {
|
||||
"type": "long"
|
||||
},
|
||||
"pppoe": {
|
||||
"type": "long"
|
||||
},
|
||||
"raw": {
|
||||
"type": "long"
|
||||
},
|
||||
"sctp": {
|
||||
"type": "long"
|
||||
},
|
||||
"sll": {
|
||||
"type": "long"
|
||||
},
|
||||
"tcp": {
|
||||
"type": "long"
|
||||
},
|
||||
"teredo": {
|
||||
"type": "long"
|
||||
},
|
||||
"udp": {
|
||||
"type": "long"
|
||||
},
|
||||
"vlan": {
|
||||
"type": "long"
|
||||
},
|
||||
"vlan_qinq": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"defrag": {
|
||||
"properties": {
|
||||
"ipv4": {
|
||||
"properties": {
|
||||
"fragments": {
|
||||
"type": "long"
|
||||
},
|
||||
"reassembled": {
|
||||
"type": "long"
|
||||
},
|
||||
"timeouts": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ipv6": {
|
||||
"properties": {
|
||||
"fragments": {
|
||||
"type": "long"
|
||||
},
|
||||
"reassembled": {
|
||||
"type": "long"
|
||||
},
|
||||
"timeouts": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"max_frag_hits": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"detect": {
|
||||
"properties": {
|
||||
"alert": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"dns": {
|
||||
"properties": {
|
||||
"memcap_global": {
|
||||
"type": "long"
|
||||
},
|
||||
"memcap_state": {
|
||||
"type": "long"
|
||||
},
|
||||
"memuse": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"file_store": {
|
||||
"properties": {
|
||||
"open_files": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"flow": {
|
||||
"properties": {
|
||||
"emerg_mode_entered": {
|
||||
"type": "long"
|
||||
},
|
||||
"emerg_mode_over": {
|
||||
"type": "long"
|
||||
},
|
||||
"icmpv4": {
|
||||
"type": "long"
|
||||
},
|
||||
"icmpv6": {
|
||||
"type": "long"
|
||||
},
|
||||
"memcap": {
|
||||
"type": "long"
|
||||
},
|
||||
"memuse": {
|
||||
"type": "long"
|
||||
},
|
||||
"spare": {
|
||||
"type": "long"
|
||||
},
|
||||
"tcp": {
|
||||
"type": "long"
|
||||
},
|
||||
"tcp_reuse": {
|
||||
"type": "long"
|
||||
},
|
||||
"udp": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"flow_mgr": {
|
||||
"properties": {
|
||||
"bypassed_pruned": {
|
||||
"type": "long"
|
||||
},
|
||||
"closed_pruned": {
|
||||
"type": "long"
|
||||
},
|
||||
"est_pruned": {
|
||||
"type": "long"
|
||||
},
|
||||
"flows_checked": {
|
||||
"type": "long"
|
||||
},
|
||||
"flows_notimeout": {
|
||||
"type": "long"
|
||||
},
|
||||
"flows_removed": {
|
||||
"type": "long"
|
||||
},
|
||||
"flows_timeout": {
|
||||
"type": "long"
|
||||
},
|
||||
"flows_timeout_inuse": {
|
||||
"type": "long"
|
||||
},
|
||||
"new_pruned": {
|
||||
"type": "long"
|
||||
},
|
||||
"rows_busy": {
|
||||
"type": "long"
|
||||
},
|
||||
"rows_checked": {
|
||||
"type": "long"
|
||||
},
|
||||
"rows_empty": {
|
||||
"type": "long"
|
||||
},
|
||||
"rows_maxlen": {
|
||||
"type": "long"
|
||||
},
|
||||
"rows_skipped": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"http": {
|
||||
"properties": {
|
||||
"memcap": {
|
||||
"type": "long"
|
||||
},
|
||||
"memuse": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tcp": {
|
||||
"properties": {
|
||||
"insert_data_normal_fail": {
|
||||
"type": "long"
|
||||
},
|
||||
"insert_data_overlap_fail": {
|
||||
"type": "long"
|
||||
},
|
||||
"insert_list_fail": {
|
||||
"type": "long"
|
||||
},
|
||||
"invalid_checksum": {
|
||||
"type": "long"
|
||||
},
|
||||
"memuse": {
|
||||
"type": "long"
|
||||
},
|
||||
"no_flow": {
|
||||
"type": "long"
|
||||
},
|
||||
"overlap": {
|
||||
"type": "long"
|
||||
},
|
||||
"overlap_diff_data": {
|
||||
"type": "long"
|
||||
},
|
||||
"pseudo": {
|
||||
"type": "long"
|
||||
},
|
||||
"pseudo_failed": {
|
||||
"type": "long"
|
||||
},
|
||||
"reassembly_gap": {
|
||||
"type": "long"
|
||||
},
|
||||
"reassembly_memuse": {
|
||||
"type": "long"
|
||||
},
|
||||
"rst": {
|
||||
"type": "long"
|
||||
},
|
||||
"segment_memcap_drop": {
|
||||
"type": "long"
|
||||
},
|
||||
"sessions": {
|
||||
"type": "long"
|
||||
},
|
||||
"ssn_memcap_drop": {
|
||||
"type": "long"
|
||||
},
|
||||
"stream_depth_reached": {
|
||||
"type": "long"
|
||||
},
|
||||
"syn": {
|
||||
"type": "long"
|
||||
},
|
||||
"synack": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"uptime": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tcp": {
|
||||
"properties": {
|
||||
"ack": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"fin": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"psh": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"rst": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"state": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"syn": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"tcp_flags": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tcp_flags_tc": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"tcp_flags_ts": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tls": {
|
||||
"properties": {
|
||||
"fingerprint": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"issuerdn": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"ja3": {
|
||||
"properties": {
|
||||
"hash": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"string": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"ja3s": {
|
||||
"properties": {
|
||||
"hash": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"string": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"notafter": {
|
||||
"type": "date"
|
||||
},
|
||||
"notbefore": {
|
||||
"type": "date"
|
||||
},
|
||||
"serial": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"session_resumed": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"sni": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"subject": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"version": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tx_id": {
|
||||
"type": "long"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
30
salt/elasticsearch/templates/component/ecs/syslog.json
Normal file
30
salt/elasticsearch/templates/component/ecs/syslog.json
Normal file
@@ -0,0 +1,30 @@
|
||||
{
|
||||
"_meta": {
|
||||
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
|
||||
"ecs_version": "1.12.2"
|
||||
},
|
||||
"template": {
|
||||
"mappings": {
|
||||
"properties": {
|
||||
"syslog": {
|
||||
"properties": {
|
||||
"facility": {
|
||||
"type": "long"
|
||||
},
|
||||
"facility_label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"priority": {
|
||||
"type": "long"
|
||||
},
|
||||
"severity_label": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
2279
salt/elasticsearch/templates/component/ecs/zeek.json
Normal file
2279
salt/elasticsearch/templates/component/ecs/zeek.json
Normal file
File diff suppressed because it is too large
Load Diff
@@ -30,7 +30,12 @@
|
||||
"type": "keyword"
|
||||
},
|
||||
"created": {
|
||||
"type": "date"
|
||||
"type": "date",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"dataset": {
|
||||
"ignore_above": 1024,
|
||||
@@ -56,7 +61,12 @@
|
||||
"type": "keyword"
|
||||
},
|
||||
"ingested": {
|
||||
"type": "date"
|
||||
"type": "date",
|
||||
"fields": {
|
||||
"keyword": {
|
||||
"type": "keyword"
|
||||
}
|
||||
}
|
||||
},
|
||||
"kind": {
|
||||
"ignore_above": 1024,
|
||||
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-aws:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-aws:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-aws*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-azure:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-azure:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-azure*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-barracuda*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-beats:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-beats:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-beats*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings",
|
||||
"winlog-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-bluecoat*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,53 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-case:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-case:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-case:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-case:field_limit', 2000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-case*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"case-mappings",
|
||||
"case-settings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes Cases fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cef:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cef:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-cef*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-checkpoint*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cisco:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cisco:field_limit', 3000) %}
|
||||
{
|
||||
"index_templates": [
|
||||
{
|
||||
"so-cisco*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-common:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-common:priority', 1) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-common:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"sort.field": "@timestamp",
|
||||
"sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"so-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-cyberark*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cylance:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cylance:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-cylance*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-elasticsearch*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-endgame:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-endgame:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-endgame:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"endgame*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"endgame-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-f5:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-f5:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-f5*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-firewall:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-firewall:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-firewall*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-flow:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-flow:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-flow*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-fortinet*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-gcp:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-gcp:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-gcp*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-google_workspace*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ids:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ids:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-ids*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-imperva:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-imperva:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-imperva*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-import:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-import:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-import*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-infoblox*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-juniper:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-juniper:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-juniper*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-kibana:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-kibana:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-kibana*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-logstash:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-logstash:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-logstash*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-microsoft*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-misp:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-misp:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-misp*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netflow:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netflow:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-netflow*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netscout:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netscout:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-netscout*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-o365:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-o365:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-o365*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-okta:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-okta:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-okta*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-osquery:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-osquery:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-osquery*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings",
|
||||
"winlog-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ossec:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ossec:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-ossec*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings",
|
||||
"winlog-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-proofpoint*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-radware:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-radware:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-radware*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-redis:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-redis:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-redis:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-redis:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-redis*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snort:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snort:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-snort*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snyk:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snyk:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-snyk*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-sonicwall*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sophos:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sophos:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-sophos*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-squid:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-squid:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-squid*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-strelka:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-strelka:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-strelka*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"so-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-syslog:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-syslog:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-syslog*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-tomcat*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zeek:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zeek:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-zeek*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,104 +0,0 @@
|
||||
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
|
||||
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
|
||||
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %}
|
||||
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %}
|
||||
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:priority', 500) %}
|
||||
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:field_limit', 3000) %}
|
||||
{
|
||||
"index_patterns": [
|
||||
"so-zscaler*"
|
||||
],
|
||||
"template": {
|
||||
"mappings": {
|
||||
"dynamic_templates": [
|
||||
{
|
||||
"strings_as_keyword": {
|
||||
"mapping": {
|
||||
"ignore_above": 1024,
|
||||
"type": "keyword"
|
||||
},
|
||||
"match_mapping_type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"date_detection": false
|
||||
},
|
||||
"settings": {
|
||||
"index": {
|
||||
"mapping": {
|
||||
"total_fields": {
|
||||
"limit": {{ FIELD_LIMIT }}
|
||||
}
|
||||
},
|
||||
{%- if INDEX_SORTING is sameas true %}
|
||||
"index.sort.field": "@timestamp",
|
||||
"index.sort.order": "desc",
|
||||
{%- endif %}
|
||||
"refresh_interval": "{{ REFRESH }}",
|
||||
"number_of_shards": {{ SHARDS }},
|
||||
"number_of_replicas": {{ REPLICAS }}
|
||||
}
|
||||
}
|
||||
},
|
||||
"composed_of": [
|
||||
"agent-mappings",
|
||||
"dtc-agent-mappings",
|
||||
"base-mappings",
|
||||
"dtc-base-mappings",
|
||||
"client-mappings",
|
||||
"cloud-mappings",
|
||||
"container-mappings",
|
||||
"data_stream-mappings",
|
||||
"destination-mappings",
|
||||
"dll-mappings",
|
||||
"dns-mappings",
|
||||
"dtc-dns-mappings",
|
||||
"ecs-mappings",
|
||||
"dtc-ecs-mappings",
|
||||
"error-mappings",
|
||||
"event-mappings",
|
||||
"dtc-event-mappings",
|
||||
"file-mappings",
|
||||
"dtc-file-mappings",
|
||||
"group-mappings",
|
||||
"host-mappings",
|
||||
"dtc-host-mappings",
|
||||
"http-mappings",
|
||||
"dtc-http-mappings",
|
||||
"log-mappings",
|
||||
"network-mappings",
|
||||
"dtc-network-mappings",
|
||||
"observer-mappings",
|
||||
"dtc-observer-mappings",
|
||||
"orchestrator-mappings",
|
||||
"organization-mappings",
|
||||
"package-mappings",
|
||||
"process-mappings",
|
||||
"dtc-process-mappings",
|
||||
"registry-mappings",
|
||||
"related-mappings",
|
||||
"rule-mappings",
|
||||
"dtc-rule-mappings",
|
||||
"server-mappings",
|
||||
"service-mappings",
|
||||
"dtc-service-mappings",
|
||||
"source-mappings",
|
||||
"threat-mappings",
|
||||
"tls-mappings",
|
||||
"tracing-mappings",
|
||||
"url-mappings",
|
||||
"user_agent-mappings",
|
||||
"dtc-user_agent-mappings",
|
||||
"user-mappings",
|
||||
"dtc-user-mappings",
|
||||
"vulnerability-mappings",
|
||||
"common-settings",
|
||||
"common-dynamic-mappings"
|
||||
],
|
||||
"priority": {{ PRIORITY }},
|
||||
"_meta": {
|
||||
"description": "Composable template that includes SO base fields",
|
||||
"ecs_version": "1.12"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -264,6 +264,32 @@ filebeat.inputs:
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %}
|
||||
- type: log
|
||||
paths:
|
||||
- /logs/kratos/kratos.log
|
||||
fields:
|
||||
module: kratos
|
||||
category: host
|
||||
tags: beat-ext
|
||||
processors:
|
||||
- rename:
|
||||
fields:
|
||||
- from: "audience"
|
||||
to: "event.dataset"
|
||||
ignore_missing: true
|
||||
- add_fields:
|
||||
when:
|
||||
not:
|
||||
has_fields: ['event.dataset']
|
||||
target: ''
|
||||
fields:
|
||||
event.dataset: access
|
||||
fields_under_root: true
|
||||
clean_removed: false
|
||||
close_removed: false
|
||||
{%- endif %}
|
||||
|
||||
{%- if grains.role == 'so-idh' %}
|
||||
- type: log
|
||||
paths:
|
||||
@@ -271,8 +297,6 @@ filebeat.inputs:
|
||||
fields:
|
||||
module: opencanary
|
||||
dataset: idh
|
||||
category: host
|
||||
tags: beat-ext
|
||||
processors:
|
||||
- decode_json_fields:
|
||||
fields: ["message"]
|
||||
@@ -301,9 +325,6 @@ filebeat.inputs:
|
||||
ignore_missing: true
|
||||
- drop_fields:
|
||||
fields: '["prospector", "input", "offset", "beat"]'
|
||||
fields_under_root: true
|
||||
clean_removed: false
|
||||
close_removed: false
|
||||
{%- endif %}
|
||||
|
||||
{%- if INPUTS %}
|
||||
|
||||
@@ -1 +1 @@
|
||||
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.16.3","id": "7.16.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
|
||||
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.0","id": "7.17.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -4,7 +4,7 @@
|
||||
{% set DIGITS = "1234567890" %}
|
||||
{% set LOWERCASE = "qwertyuiopasdfghjklzxcvbnm" %}
|
||||
{% set UPPERCASE = "QWERTYUIOPASDFGHJKLZXCVBNM" %}
|
||||
{% set SYMBOLS = "~!@#$^&*()-_=+[]|;:,.<>?" %}
|
||||
{% set SYMBOLS = "~!@#^&*()-_=+[]|;:,.<>?" %}
|
||||
{% set CHARS = DIGITS~LOWERCASE~UPPERCASE~SYMBOLS %}
|
||||
{% set kibana_encryptedSavedObjects_encryptionKey = salt['pillar.get']('kibana:secrets:encryptedSavedObjects:encryptionKey', salt['random.get_str'](72, chars=CHARS)) %}
|
||||
{% set kibana_security_encryptionKey = salt['pillar.get']('kibana:secrets:security:encryptionKey', salt['random.get_str'](72, chars=CHARS)) %}
|
||||
|
||||
@@ -1,9 +1,12 @@
|
||||
{%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%}
|
||||
{%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
|
||||
{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%}
|
||||
{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', 'Security Onion') -%}
|
||||
|
||||
session:
|
||||
lifespan: {{ SESSIONTIMEOUT }}
|
||||
whoami:
|
||||
required_aal: highest_available
|
||||
|
||||
selfservice:
|
||||
methods:
|
||||
@@ -11,10 +14,15 @@ selfservice:
|
||||
enabled: true
|
||||
config:
|
||||
haveibeenpwned_enabled: false
|
||||
totp:
|
||||
enabled: true
|
||||
config:
|
||||
issuer: {{ MFA_ISSUER }}
|
||||
|
||||
flows:
|
||||
settings:
|
||||
ui_url: https://{{ WEBACCESS }}/?r=/settings
|
||||
required_aal: highest_available
|
||||
|
||||
verification:
|
||||
ui_url: https://{{ WEBACCESS }}/
|
||||
|
||||
@@ -17,6 +17,9 @@
|
||||
"credentials": {
|
||||
"password": {
|
||||
"identifier": true
|
||||
},
|
||||
"totp": {
|
||||
"account_name": true
|
||||
}
|
||||
},
|
||||
"verification": {
|
||||
|
||||
@@ -199,9 +199,6 @@ so-logstash:
|
||||
{% for CONFIGFILE in PIPELINES[PL].config %}
|
||||
- file: ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% for TEMPLATE in TEMPLATES %}
|
||||
- file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
|
||||
{% endfor %}
|
||||
- require:
|
||||
{% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
|
||||
|
||||
@@ -399,12 +399,18 @@ http {
|
||||
}
|
||||
|
||||
error_page 401 = @error401;
|
||||
error_page 403 = @error403;
|
||||
|
||||
location @error401 {
|
||||
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
|
||||
return 302 /auth/self-service/login/browser;
|
||||
}
|
||||
|
||||
location @error403 {
|
||||
add_header Set-Cookie "ory_kratos_session=;Path=/;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT;";
|
||||
return 302 /auth/self-service/login/browser;
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /usr/share/nginx/html/50x.html {
|
||||
}
|
||||
|
||||
9
salt/zeek/files/networks.cfg.jinja
Normal file
9
salt/zeek/files/networks.cfg.jinja
Normal file
@@ -0,0 +1,9 @@
|
||||
{%- if salt['pillar.get']('sensor:hnsensor') %}
|
||||
{%- set HOME_NET = salt['pillar.get']('sensor:hnsensor') %}
|
||||
{%- else %}
|
||||
{%- set HOME_NET = salt['pillar.get']('global:hnmanager') %}
|
||||
{%- endif %}
|
||||
{%- set HNLIST = HOME_NET.split(',') %}
|
||||
{%- for HN in HNLIST %}
|
||||
{{ HN }}
|
||||
{%- endfor %}
|
||||
@@ -127,6 +127,14 @@ nodecfg:
|
||||
- group: 939
|
||||
- template: jinja
|
||||
|
||||
networkscfg:
|
||||
file.managed:
|
||||
- name: /opt/so/conf/zeek/networks.cfg
|
||||
- source: salt://zeek/files/networks.cfg.jinja
|
||||
- user: 937
|
||||
- group: 939
|
||||
- template: jinja
|
||||
|
||||
#zeekcleanscript:
|
||||
# file.managed:
|
||||
# - name: /usr/local/bin/zeek_clean
|
||||
@@ -209,6 +217,7 @@ so-zeek:
|
||||
- /nsm/zeek/extracted:/nsm/zeek/extracted:rw
|
||||
- /opt/so/conf/zeek/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
|
||||
- /opt/so/conf/zeek/node.cfg:/opt/zeek/etc/node.cfg:ro
|
||||
- /opt/so/conf/zeek/networks.cfg:/opt/zeek/etc/networks.cfg:ro
|
||||
- /opt/so/conf/zeek/zeekctl.cfg:/opt/zeek/etc/zeekctl.cfg:ro
|
||||
- /opt/so/conf/zeek/policy/securityonion:/opt/zeek/share/zeek/policy/securityonion:ro
|
||||
- /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro
|
||||
@@ -219,6 +228,7 @@ so-zeek:
|
||||
- watch:
|
||||
- file: /opt/so/conf/zeek/local.zeek
|
||||
- file: /opt/so/conf/zeek/node.cfg
|
||||
- file: /opt/so/conf/zeek/networks.cfg
|
||||
- file: /opt/so/conf/zeek/zeekctl.cfg
|
||||
- file: /opt/so/conf/zeek/policy
|
||||
- file: /opt/so/conf/zeek/bpf
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user