diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3efed0016..e5b17efe1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -29,7 +29,11 @@ * See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting. -* Minor bug fixes can be submitted immediately. However, if you are wanting to make more involved changes, please start a [discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions) first and tell us what you are hoping to achieve. If we agree with your goals, then you can submit the PR. +* Change behavior (fix a bug, add a new feature) separately from refactoring code. Refactor pull requests are welcome, but ensure your new code behaves exactly the same as the old. + +* **Do not refactor code for non-functional reasons**. If you are submitting a pull request that refactors code, ensure the refactor is improving the functionality of the code you're refactoring (e.g. decreasing complexity, removing reliance on 3rd party tools, improving performance). + +* Before submitting a PR with significant changes to the project, [start a discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions/new) explaining what you hope to acheive. The project maintainers will provide feedback and determine whether your goal aligns with the project. ### Code style and conventions @@ -38,3 +42,5 @@ * All new Bash code should pass [ShellCheck](https://www.shellcheck.net/) analysis. Where errors can be *safely* [ignored](https://github.com/koalaman/shellcheck/wiki/Ignore), the relevant disable directive should be accompanied by a brief explanation as to why the error is being ignored. * **Ensure all YAML (this includes Salt states and pillars) is properly formatted**. The spec for YAML v1.2 can be found [here](https://yaml.org/spec/1.2/spec.html), however there are numerous online resources with simpler descriptions of its formatting rules. + +* **All code of any language should match the style of other code of that same language within the project.** Be sure that any changes you make do not break from the pre-existing style of Security Onion code. diff --git a/HOTFIX b/HOTFIX index 8b1378917..aa8e22a9c 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20220202 20220203 diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index b52c8c740..376d4328f 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.100-20220131 ISO image built on 2022/01/31 +### 2.3.100-20220203 ISO image built on 2022/02/03 ### Download and Verify -2.3.100-20220131 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220131.iso +2.3.100-20220203 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220203.iso -MD5: 9B50774532B77A10E2F52A3F0492A780 -SHA1: 3C50D2EF4AFFFA8929492C2FC3842FF3EEE0EA5F -SHA256: CDCBEE6B1FDFB4CAF6C9F80CCADC161366EC337746E8394BF4454FAA2FC11AA1 +MD5: 14705B2F2F9C973D944A4545449799C5 +SHA1: D73405BE3DE404DE19979B58DEA6F22F434E622D +SHA256: 3DD54ACBFDE0047A5EA238415F025ADB6D6AAFF53BEE084A602327CB3242B580 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220131.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220203.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220131.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220203.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220131.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220203.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.100-20220131.iso.sig securityonion-2.3.100-20220131.iso +gpg --verify securityonion-2.3.100-20220203.iso.sig securityonion-2.3.100-20220203.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 31 Jan 2022 11:41:30 AM EST using RSA key ID FE507013 +gpg: Signature made Thu 03 Feb 2022 03:35:03 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/pillar/logstash/nodes.sls b/pillar/logstash/nodes.sls index 3658065cb..18c4b39bf 100644 --- a/pillar/logstash/nodes.sls +++ b/pillar/logstash/nodes.sls @@ -1,11 +1,13 @@ {% set node_types = {} %} +{% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %} {% for minionid, ip in salt.saltutil.runner( 'mine.get', tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ', fun='network.ip_addrs', - tgt_type='compound') | dictsort() + tgt_type='compound') | dictsort() %} -{% set hostname = minionid.split('_')[0] %} + +{% set hostname = cached_grains[minionid]['host'] %} {% set node_type = minionid.split('_')[1] %} {% if node_type not in node_types.keys() %} {% do node_types.update({node_type: {hostname: ip[0]}}) %} diff --git a/salt/common/tools/sbin/so-elasticsearch-component-templates-list b/salt/common/tools/sbin/so-elasticsearch-component-templates-list new file mode 100755 index 000000000..69deb1873 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-component-templates-list @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +. /usr/sbin/so-common +if [ "$1" == "" ]; then + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort +else + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq +fi diff --git a/salt/common/tools/sbin/so-elasticsearch-index-templates-list b/salt/common/tools/sbin/so-elasticsearch-index-templates-list new file mode 100755 index 000000000..84fecc565 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-index-templates-list @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +. /usr/sbin/so-common +if [ "$1" == "" ]; then + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort +else + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq +fi diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-list b/salt/common/tools/sbin/so-elasticsearch-indices-list index c6b661dbf..f7662f4e2 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-list +++ b/salt/common/tools/sbin/so-elasticsearch-indices-list @@ -18,4 +18,4 @@ . /usr/sbin/so-common -{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty +{{ ELASTICCURL }} -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index" diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 61b936f1a..347c10b81 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -158,7 +158,7 @@ EOF } airgap_update_dockers() { - if [[ $is_airgap -eq 0 ]]; then + if [[ $is_airgap -eq 0 ]] || [[ ! -z "$ISOLOC" ]]; then # Let's copy the tarball if [[ ! -f $AGDOCKER/registry.tar ]]; then echo "Unable to locate registry. Exiting" @@ -976,6 +976,11 @@ main() { # Let's mount the ISO since this is airgap airgap_mounted else + # if not airgap but -f was used + if [[ ! -z "$ISOLOC" ]]; then + airgap_mounted + AGDOCKER=/tmp/soagupdate/docker + fi echo "Cloning Security Onion github repo into $UPDATE_DIR." echo "Removing previous upgrade sources." rm -rf $UPDATE_DIR @@ -1031,6 +1036,10 @@ main() { update_centos_repo yum clean all check_os_updates + # if not airgap but -f was used + elif [[ ! -z "$ISOLOC" ]]; then + airgap_update_dockers + unmount_update else update_registry set +e diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 737c1118e..bfeeadb20 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -55,7 +55,7 @@ elasticsearch: indices: query: bool: - max_clause_count: 1500 + max_clause_count: 3000 id_field_data: enabled: false logger: diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index d0c07492e..533c63611 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -19,7 +19,7 @@ { "rename": { "field": "message2.RD", "target_field": "dns.recursion.desired", "ignore_missing": true } }, { "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } }, { "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } }, - { "rename": { "field": "message2.answers", "target_field": "dns.answers", "ignore_missing": true } }, + { "rename": { "field": "message2.answers", "target_field": "dns.answers.name", "ignore_missing": true } }, { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index ece110c8b..aa3c6cbd6 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -147,11 +147,13 @@ esingestdir: estemplatedir: file.directory: - - name: /opt/so/conf/elasticsearch/templates + - name: /opt/so/conf/elasticsearch/templates/index - user: 930 - group: 939 - makedirs: True + + esrolesdir: file.directory: - name: /opt/so/conf/elasticsearch/roles @@ -200,17 +202,24 @@ esyml: {% for TEMPLATE in TEMPLATES %} es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: file.managed: - - source: salt://elasticsearch/templates/{{TEMPLATE}} + - source: salt://elasticsearch/templates/index/{{TEMPLATE}} {% if 'jinja' in TEMPLATE.split('.')[-1] %} - - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} + - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} - template: jinja {% else %} - - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}} + - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}} {% endif %} - user: 930 - group: 939 {% endfor %} +escomponenttemplates: + file.recurse: + - name: /opt/so/conf/elasticsearch/templates/component + - source: salt://elasticsearch/templates/component + - user: 930 + - group: 939 + esroles: file.recurse: - source: salt://elasticsearch/roles/ diff --git a/salt/elasticsearch/templates/component/ecs/agent.json b/salt/elasticsearch/templates/component/ecs/agent.json new file mode 100644 index 000000000..4c7f8738e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/agent.json @@ -0,0 +1,44 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/aws.json b/salt/elasticsearch/templates/component/ecs/aws.json new file mode 100644 index 000000000..ccea31e27 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/aws.json @@ -0,0 +1,570 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "aws": { + "properties": { + "cloudtrail": { + "properties": { + "additional_eventdata": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "console_login": { + "properties": { + "additional_eventdata": { + "properties": { + "login_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mfa_used": { + "type": "boolean" + }, + "mobile_version": { + "type": "boolean" + } + } + } + } + }, + "digest": { + "properties": { + "end_time": { + "type": "date" + }, + "log_files": { + "type": "nested" + }, + "newest_event_time": { + "type": "date" + }, + "oldest_event_time": { + "type": "date" + }, + "previous_hash_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "s3_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + } + } + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "flattened": { + "properties": { + "additional_eventdata": { + "type": "flattened" + }, + "request_parameters": { + "type": "flattened" + }, + "response_elements": { + "type": "flattened" + }, + "service_event_details": { + "type": "flattened" + } + } + }, + "insight_details": { + "type": "flattened" + }, + "management_event": { + "ignore_above": 1024, + "type": "keyword" + }, + "read_only": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_parameters": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response_elements": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "service_event_details": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "shared_event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_identity": { + "properties": { + "access_key_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "invoked_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_context": { + "properties": { + "creation_date": { + "type": "date" + }, + "mfa_authenticated": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_issuer": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc_endpoint_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloudwatch": { + "properties": { + "message": { + "norms": false, + "type": "text" + } + } + }, + "ec2": { + "properties": { + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elb": { + "properties": { + "action_executed": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend": { + "properties": { + "http": { + "properties": { + "response": { + "properties": { + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "backend_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "chosen_cert": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "error": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incoming_tls_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "listener": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "response_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "ssl_cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_group": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_handshake_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "tls_named_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "s3access": { + "properties": { + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket_owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_sent": { + "type": "long" + }, + "cipher_suite": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_header": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_size": { + "type": "long" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "requester": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_time": { + "type": "long" + }, + "turn_around_time": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpcflow": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "pkt_dstaddr": { + "type": "ip" + }, + "pkt_srcaddr": { + "type": "ip" + }, + "subnet_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_array": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/azure.json b/salt/elasticsearch/templates/component/ecs/azure.json new file mode 100644 index 000000000..5e1acaae5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/azure.json @@ -0,0 +1,604 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "azure": { + "properties": { + "activitylogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "properties": { + "authorization": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_definition_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "claims": { + "properties": { + "*": { + "type": "object" + } + } + }, + "claims_initiated_by_user": { + "properties": { + "fullname": { + "ignore_above": 1024, + "type": "keyword" + }, + "givenname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "schema": { + "ignore_above": 1024, + "type": "keyword" + }, + "surname": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "type": "flattened" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auditlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "activity_datetime": { + "type": "date" + }, + "activity_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "properties": { + "app": { + "properties": { + "appId": { + "ignore_above": 1024, + "type": "keyword" + }, + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "logged_by_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_resources": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_properties": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "consumer_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "enqueued_time": { + "type": "date" + }, + "eventhub": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "partition_id": { + "type": "long" + }, + "platformlogs": { + "properties": { + "ActivityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Caller": { + "ignore_above": 1024, + "type": "keyword" + }, + "Cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "Environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventTimeString": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScaleUnit": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ccpNamespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "type": "flattened" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "authorization_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence_number": { + "type": "long" + }, + "signinlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "app_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_processing_details": { + "type": "flattened" + }, + "authentication_requirement": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_requirement_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "autonomous_system_number": { + "type": "long" + }, + "client_app_used": { + "ignore_above": 1024, + "type": "keyword" + }, + "conditional_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cross_tenant_access_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_detail": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operating_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "trust_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flagged_for_review": { + "type": "boolean" + }, + "home_tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_interactive": { + "type": "boolean" + }, + "is_tenant_restricted": { + "type": "boolean" + }, + "original_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "processing_time_ms": { + "type": "float" + }, + "resource_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_event_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_event_types_v2": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_aggregated": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_during_signin": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sso_extension_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "error_code": { + "type": "long" + } + } + }, + "token_issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "token_issuer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subscription_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/base.json b/salt/elasticsearch/templates/component/ecs/base.json new file mode 100644 index 000000000..f409ed95a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/base.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/cef.json b/salt/elasticsearch/templates/component/ecs/cef.json new file mode 100644 index 000000000..376fbf26a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cef.json @@ -0,0 +1,772 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cef": { + "properties": { + "device": { + "properties": { + "event_class_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extensions": { + "properties": { + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentAddress": { + "type": "ip" + }, + "agentDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentReceiptTime": { + "type": "date" + }, + "agentTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedAddress": { + "type": "ip" + }, + "agentTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentType": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "applicationProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "baseEventCount": { + "type": "long" + }, + "bytesIn": { + "type": "long" + }, + "bytesOut": { + "type": "long" + }, + "categoryBehavior": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceGroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryObject": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "categorySignificance": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryTechnique": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationAddress": { + "type": "ip" + }, + "destinationDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationGeoLatitude": { + "type": "double" + }, + "destinationGeoLongitude": { + "type": "double" + }, + "destinationHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationPort": { + "type": "long" + }, + "destinationProcessId": { + "type": "long" + }, + "destinationProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedAddress": { + "type": "ip" + }, + "destinationTranslatedPort": { + "type": "long" + }, + "destinationTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAddress": { + "type": "ip" + }, + "deviceCustomDate1": { + "type": "date" + }, + "deviceCustomDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomDate2": { + "type": "date" + }, + "deviceCustomDate2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint1": { + "type": "double" + }, + "deviceCustomFloatingPoint1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint2": { + "type": "double" + }, + "deviceCustomFloatingPoint2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint3": { + "type": "double" + }, + "deviceCustomFloatingPoint3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint4": { + "type": "double" + }, + "deviceCustomFloatingPoint4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address1": { + "type": "ip" + }, + "deviceCustomIPv6Address1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address2": { + "type": "ip" + }, + "deviceCustomIPv6Address2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address3": { + "type": "ip" + }, + "deviceCustomIPv6Address3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address4": { + "type": "ip" + }, + "deviceCustomIPv6Address4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber1": { + "type": "long" + }, + "deviceCustomNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber2": { + "type": "long" + }, + "deviceCustomNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber3": { + "type": "long" + }, + "deviceCustomNumber3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceDirection": { + "type": "long" + }, + "deviceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceEventCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceExternalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFacility": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber1": { + "type": "long" + }, + "deviceFlexNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber2": { + "type": "long" + }, + "deviceFlexNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceInboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceOutboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "devicePayloadId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceProcessId": { + "type": "long" + }, + "deviceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceReceiptTime": { + "type": "date" + }, + "deviceTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedAddress": { + "type": "ip" + }, + "deviceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "endTime": { + "type": "date" + }, + "eventId": { + "type": "long" + }, + "eventOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "externalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileCreateTime": { + "type": "date" + }, + "fileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileModificationTime": { + "type": "date" + }, + "filePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileSize": { + "type": "long" + }, + "fileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexDate1": { + "type": "date" + }, + "flexDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "ifname": { + "ignore_above": 1024, + "type": "keyword" + }, + "inzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "loguid": { + "ignore_above": 1024, + "type": "keyword" + }, + "managerReceiptTime": { + "type": "date" + }, + "match_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileCreateTime": { + "type": "date" + }, + "oldFileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileModificationTime": { + "type": "date" + }, + "oldFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileSize": { + "type": "long" + }, + "oldFileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "ignore_above": 1024, + "type": "keyword" + }, + "originsicname": { + "ignore_above": 1024, + "type": "keyword" + }, + "outzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawEvent": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestClientApplication": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestContext": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestCookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestMethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequencenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceAddress": { + "type": "ip" + }, + "sourceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceGeoLatitude": { + "type": "double" + }, + "sourceGeoLongitude": { + "type": "double" + }, + "sourceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourcePort": { + "type": "long" + }, + "sourceProcessId": { + "type": "long" + }, + "sourceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedAddress": { + "type": "ip" + }, + "sourceTranslatedPort": { + "type": "long" + }, + "sourceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "transportProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "type": "long" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/checkpoint.json b/salt/elasticsearch/templates/component/ecs/checkpoint.json new file mode 100644 index 000000000..bb2f8f6de --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/checkpoint.json @@ -0,0 +1,1615 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "checkpoint": { + "properties": { + "action_reason": { + "type": "long" + }, + "action_reason_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocated_ports": { + "type": "long" + }, + "analyzed_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "answer_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "anti_virus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "type": "long" + }, + "app_package": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_repackaged": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sid_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "appi_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "arrival_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "attachments_num": { + "type": "long" + }, + "attack_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "authority_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "authorization": { + "ignore_above": 1024, + "type": "keyword" + }, + "bcc": { + "ignore_above": 1024, + "type": "keyword" + }, + "blade_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "broker_publisher": { + "type": "ip" + }, + "browse_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "c_bytes": { + "type": "long" + }, + "calc_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "capacity": { + "type": "long" + }, + "capture_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "cgnet": { + "ignore_above": 1024, + "type": "keyword" + }, + "chunk_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence_level": { + "type": "long" + }, + "connection_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "conns_amount": { + "type": "long" + }, + "content_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_risk": { + "type": "long" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_num": { + "type": "long" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieI": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieR": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_message": { + "type": "long" + }, + "cvpn_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvpn_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce-rpc_interface_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "detected_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "developer_certificate_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "diameter_app_ID": { + "type": "long" + }, + "diameter_cmd_code": { + "type": "long" + }, + "diameter_msg_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_action_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_additional_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_files_number": { + "type": "long" + }, + "dlp_fingerprint_long_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_short_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_recipients": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_related_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_relevant_data_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_directories_number": { + "type": "long" + }, + "dlp_repository_files_number": { + "type": "long" + }, + "dlp_repository_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_not_scanned_directories_percentage": { + "type": "long" + }, + "dlp_repository_reached_directories_number": { + "type": "long" + }, + "dlp_repository_root_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_scan_progress": { + "type": "long" + }, + "dlp_repository_scanned_directories_number": { + "type": "long" + }, + "dlp_repository_scanned_files_number": { + "type": "long" + }, + "dlp_repository_scanned_total_size": { + "type": "long" + }, + "dlp_repository_skipped_files_number": { + "type": "long" + }, + "dlp_repository_total_size": { + "type": "long" + }, + "dlp_repository_unreachable_directories_number": { + "type": "long" + }, + "dlp_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_template_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_transint": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_violation_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_watermark_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_word_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "drop_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_incoming": { + "type": "long" + }, + "dropped_outgoing": { + "type": "long" + }, + "dropped_total": { + "type": "long" + }, + "drops_amount": { + "type": "long" + }, + "dst_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstkeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duplicate": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control_analysis": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_recipients_num": { + "type": "long" + }, + "email_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spam_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "emulated_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "encryption_failure": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_user_firewall_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_associated_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_noncompliance_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_scan_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_count": { + "type": "long" + }, + "expire_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_hit_time": { + "type": "long" + }, + "frequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "fs-proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_subproduct": { + "ignore_above": 1024, + "type": "keyword" + }, + "hide_ip": { + "type": "ip" + }, + "hit": { + "type": "long" + }, + "host_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_location": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_more_info": { + "type": "long" + }, + "icap_server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_server_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_service_id": { + "type": "long" + }, + "icmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "id": { + "type": "long" + }, + "identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "impacted_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "info": { + "ignore_above": 1024, + "type": "keyword" + }, + "information": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_item": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_settings_log": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed_products": { + "ignore_above": 1024, + "type": "keyword" + }, + "int_end": { + "type": "long" + }, + "int_start": { + "type": "long" + }, + "integrity_av_invoke_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "internal_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalid_file_size": { + "type": "long" + }, + "ip_option": { + "type": "long" + }, + "isp_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_hit_time": { + "type": "long" + }, + "last_rematch_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit_applied": { + "type": "long" + }, + "limit_requested": { + "type": "long" + }, + "link_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "links_num": { + "type": "long" + }, + "log_delay": { + "type": "long" + }, + "log_id": { + "type": "long" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "long_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_family": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_fk": { + "type": "long" + }, + "match_id": { + "type": "long" + }, + "matched_file": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_file_percentage": { + "type": "long" + }, + "matched_file_text_segments": { + "type": "long" + }, + "media_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_size": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "methods": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mirror_and_decrypt_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_collection": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_command_and_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_credential_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_defense_evasion": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_discovery": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_exfiltration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_initial_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_lateral_movement": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_persistence": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_privilege_escalation": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat46": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "type": "long" + }, + "nat_exhausted_pool": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "type": "long" + }, + "needs_browse_time": { + "type": "long" + }, + "next_hop_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_scheduled_scan_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "number_of_errors": { + "type": "long" + }, + "objecttable": { + "ignore_above": 1024, + "type": "keyword" + }, + "objecttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_comment": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_sic_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_amount": { + "type": "long" + }, + "packet_capture_unique_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "type": "long" + }, + "peer_gateway": { + "type": "ip" + }, + "peer_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_ip_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "type": "long" + }, + "policy_mgmt": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ports_usage": { + "type": "long" + }, + "ppp": { + "ignore_above": 1024, + "type": "keyword" + }, + "precise_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_machine_name": { + "type": "long" + }, + "proxy_src_ip": { + "type": "ip" + }, + "proxy_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "question_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_parent_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_self_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_ip-phones": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rematch_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediated_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_status": { + "type": "long" + }, + "risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "rpc_prog": { + "type": "long" + }, + "rule": { + "type": "long" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rulebase_id": { + "type": "long" + }, + "scan_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_hosts_day": { + "type": "long" + }, + "scan_hosts_hour": { + "type": "long" + }, + "scan_hosts_week": { + "type": "long" + }, + "scan_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_mail": { + "type": "long" + }, + "scan_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_results": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_download_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_total_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrubbed_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_association_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "securexl_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_communication": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_hashes": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "similiar_iocs": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "special_properties": { + "type": "long" + }, + "specific_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "spyware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "srckeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subs_exp": { + "type": "date" + }, + "subscriber": { + "type": "ip" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppressed_logs": { + "type": "long" + }, + "sync": { + "ignore_above": 1024, + "type": "keyword" + }, + "sys_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_end_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_packet_out_of_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "te_verdict_determined_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ticket_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_server_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_archive_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_attachments": { + "type": "long" + }, + "triggered_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_detected_day": { + "type": "long" + }, + "unique_detected_hour": { + "type": "long" + }, + "unique_detected_week": { + "type": "long" + }, + "update_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "via": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_action_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_sz": { + "type": "long" + }, + "voip_call_dir": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_term_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_config": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_est_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_exp": { + "type": "long" + }, + "voip_from_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_ipp": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reason_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reg_int": { + "type": "long" + }, + "voip_reg_ipp": { + "type": "long" + }, + "voip_reg_period": { + "type": "long" + }, + "voip_reg_server": { + "type": "ip" + }, + "voip_reg_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reject_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_to_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn_feature_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "watermark": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_server_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "word_list": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/cisco.json b/salt/elasticsearch/templates/component/ecs/cisco.json new file mode 100644 index 000000000..3800b79fc --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cisco.json @@ -0,0 +1,620 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cisco": { + "properties": { + "amp": { + "properties": { + "bp_data": { + "type": "flattened" + }, + "cloud_ioc": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_description": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "properties": { + "arguments": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "computer": { + "properties": { + "active": { + "type": "boolean" + }, + "connector_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_ip": { + "type": "ip" + }, + "network_addresses": { + "type": "flattened" + } + } + }, + "connector_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "detection": { + "ignore_above": 1024, + "type": "keyword" + }, + "detection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "archived_file": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "attack_details": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "attacked_module": { + "ignore_above": 1024, + "type": "keyword" + }, + "base_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicators": { + "type": "flattened" + }, + "suspicious_files": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group_guids": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_tactics": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_techniques": { + "ignore_above": 1024, + "type": "keyword" + }, + "network_info": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "nfm": { + "properties": { + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "parent": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "identify": { + "properties": { + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "related": { + "properties": { + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "clean": { + "type": "boolean" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "malicious_detections": { + "type": "long" + }, + "scanned_files": { + "type": "long" + }, + "scanned_paths": { + "type": "long" + }, + "scanned_processes": { + "type": "long" + } + } + }, + "tactics": { + "type": "flattened" + }, + "techniques": { + "type": "flattened" + }, + "threat_hunting": { + "properties": { + "incident_end_time": { + "type": "date" + }, + "incident_hunt_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_report_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_start_time": { + "type": "date" + }, + "incident_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactics": { + "type": "flattened" + }, + "techniques": { + "type": "flattened" + } + } + }, + "timestamp_nanoseconds": { + "type": "date" + }, + "vulnerabilities": { + "type": "flattened" + } + } + }, + "asa": { + "properties": { + "assigned_ip": { + "type": "ip" + }, + "burst": { + "properties": { + "avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "cumulative_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "current_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line_arguments": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "privilege": { + "properties": { + "new": { + "ignore_above": 1024, + "type": "keyword" + }, + "old": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnel_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "webvpn": { + "properties": { + "group_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ftd": { + "properties": { + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "type": "object" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "webvpn": { + "properties": { + "group_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ios": { + "properties": { + "access_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "umbrella": { + "properties": { + "amp_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_malware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_detections": { + "ignore_above": 1024, + "type": "keyword" + }, + "blocked_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "datacenter": { + "ignore_above": 1024, + "type": "keyword" + }, + "identities": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "puas": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha_sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/client.json b/salt/elasticsearch/templates/component/ecs/client.json new file mode 100644 index 000000000..7f5a2169e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/client.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/cloud.json b/salt/elasticsearch/templates/component/ecs/cloud.json new file mode 100644 index 000000000..f41ab4a8f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cloud.json @@ -0,0 +1,80 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/container.json b/salt/elasticsearch/templates/component/ecs/container.json new file mode 100644 index 000000000..bd5ce8113 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/container.json @@ -0,0 +1,43 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/cyberark.json b/salt/elasticsearch/templates/component/ecs/cyberark.json new file mode 100644 index 000000000..20e90f6ea --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cyberark.json @@ -0,0 +1,305 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cyberarkpas": { + "properties": { + "audit": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "ca_properties": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_disabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_error_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "customer": { + "ignore_above": 1024, + "type": "keyword" + }, + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dual_account_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_process": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_fail_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_change": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_reconciliation": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_verification": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_task": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "other": { + "type": "flattened" + }, + "policy_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + }, + "privcloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "reset_immediately": { + "ignore_above": 1024, + "type": "keyword" + }, + "retries_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "extra_details": { + "properties": { + "ad_process_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ad_process_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_component_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "other": { + "type": "flattened" + }, + "process_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "psmid": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway_station": { + "type": "ip" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "iso_timestamp": { + "type": "date" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "doc_values": false, + "ignore_above": 4096, + "index": false, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "pvwa_details": { + "type": "flattened" + }, + "raw": { + "doc_values": false, + "ignore_above": 4096, + "index": false, + "type": "keyword" + }, + "reason": { + "norms": false, + "type": "text" + }, + "rfc5424": { + "type": "boolean" + }, + "safe": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "station": { + "type": "ip" + }, + "target_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/data_stream.json b/salt/elasticsearch/templates/component/ecs/data_stream.json new file mode 100644 index 000000000..dfbfe3f51 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/data_stream.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/destination.json b/salt/elasticsearch/templates/component/ecs/destination.json new file mode 100644 index 000000000..4fac31200 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/destination.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/dll.json b/salt/elasticsearch/templates/component/ecs/dll.json new file mode 100644 index 000000000..84667a6b9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/dll.json @@ -0,0 +1,116 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/dns.json b/salt/elasticsearch/templates/component/ecs/dns.json new file mode 100644 index 000000000..321a061f5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/dns.json @@ -0,0 +1,91 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/ecs.json b/salt/elasticsearch/templates/component/ecs/ecs.json new file mode 100644 index 000000000..9abfcf61c --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/ecs.json @@ -0,0 +1,20 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/elasticsearch.json new file mode 100644 index 000000000..f409ed95a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/elasticsearch.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/error.json b/salt/elasticsearch/templates/component/ecs/error.json new file mode 100644 index 000000000..c33f580ab --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/error.json @@ -0,0 +1,39 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "match_only_text" + }, + "stack_trace": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/event.json b/salt/elasticsearch/templates/component/ecs/event.json new file mode 100644 index 000000000..0d43760a2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/event.json @@ -0,0 +1,112 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/file.json b/salt/elasticsearch/templates/component/ecs/file.json new file mode 100644 index 000000000..6242cc324 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/file.json @@ -0,0 +1,424 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/fortinet.json b/salt/elasticsearch/templates/component/ecs/fortinet.json new file mode 100644 index 000000000..1f9b7496d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/fortinet.json @@ -0,0 +1,1627 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "fortinet": { + "properties": { + "file": { + "properties": { + "hash": { + "properties": { + "crc32": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "acct_stat": { + "ignore_above": 1024, + "type": "keyword" + }, + "acktime": { + "ignore_above": 1024, + "type": "keyword" + }, + "act": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "type": "ip" + }, + "addr_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "addrgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "adgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "admin": { + "ignore_above": 1024, + "type": "keyword" + }, + "age": { + "type": "long" + }, + "agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarmid": { + "type": "long" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticscksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticssubmit": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "appact": { + "ignore_above": 1024, + "type": "keyword" + }, + "appid": { + "type": "long" + }, + "applist": { + "ignore_above": 1024, + "type": "keyword" + }, + "apprisk": { + "ignore_above": 1024, + "type": "keyword" + }, + "apscan": { + "ignore_above": 1024, + "type": "keyword" + }, + "apsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "apstatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "aptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "assigned": { + "type": "ip" + }, + "assignip": { + "type": "ip" + }, + "attachment": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontext": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontextid": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackid": { + "type": "long" + }, + "auditid": { + "type": "long" + }, + "auditscore": { + "ignore_above": 1024, + "type": "keyword" + }, + "audittime": { + "type": "long" + }, + "authgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "authid": { + "ignore_above": 1024, + "type": "keyword" + }, + "authproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "authserver": { + "ignore_above": 1024, + "type": "keyword" + }, + "bandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "banword": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetip": { + "type": "ip" + }, + "bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "carrier_ep": { + "ignore_above": 1024, + "type": "keyword" + }, + "cat": { + "type": "long" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "cdrcontent": { + "ignore_above": 1024, + "type": "keyword" + }, + "centralnatid": { + "type": "long" + }, + "cert": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "certhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgattr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgobj": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgpath": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtxpower": { + "type": "long" + }, + "channel": { + "type": "long" + }, + "channeltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "chassisid": { + "type": "long" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "chgheaders": { + "ignore_above": 1024, + "type": "keyword" + }, + "cldobjid": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "clouduser": { + "ignore_above": 1024, + "type": "keyword" + }, + "column": { + "type": "long" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "configcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "conserve": { + "ignore_above": 1024, + "type": "keyword" + }, + "constraint": { + "ignore_above": 1024, + "type": "keyword" + }, + "contentdisarmed": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "countapp": { + "type": "long" + }, + "countav": { + "type": "long" + }, + "countcifs": { + "type": "long" + }, + "countdlp": { + "type": "long" + }, + "countdns": { + "type": "long" + }, + "countemail": { + "type": "long" + }, + "countff": { + "type": "long" + }, + "countips": { + "type": "long" + }, + "countssh": { + "type": "long" + }, + "countssl": { + "type": "long" + }, + "countwaf": { + "type": "long" + }, + "countweb": { + "type": "long" + }, + "cpu": { + "type": "long" + }, + "craction": { + "type": "long" + }, + "criticalcount": { + "type": "long" + }, + "crl": { + "ignore_above": 1024, + "type": "keyword" + }, + "crlevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "crscore": { + "type": "long" + }, + "cveid": { + "ignore_above": 1024, + "type": "keyword" + }, + "daemon": { + "ignore_above": 1024, + "type": "keyword" + }, + "datarange": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "ddnsserver": { + "type": "ip" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "detectionmethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "devcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "devintfname": { + "ignore_above": 1024, + "type": "keyword" + }, + "devtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "dintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "ignore_above": 1024, + "type": "keyword" + }, + "disklograte": { + "type": "long" + }, + "dlpextra": { + "ignore_above": 1024, + "type": "keyword" + }, + "docsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlauthstate": { + "type": "long" + }, + "domainctrlauthtype": { + "type": "long" + }, + "domainctrldomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlip": { + "type": "ip" + }, + "domainctrlname": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlprotocoltype": { + "type": "long" + }, + "domainctrlusername": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainfilteridx": { + "type": "long" + }, + "domainfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "ds": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstserver": { + "type": "long" + }, + "dstssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstunauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eapolcnt": { + "type": "long" + }, + "eapoltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "encrypt": { + "type": "long" + }, + "encryption": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch": { + "type": "long" + }, + "espauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "esptransform": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "exch": { + "ignore_above": 1024, + "type": "keyword" + }, + "exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "expectedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiry": { + "ignore_above": 1024, + "type": "keyword" + }, + "fams_pause": { + "type": "long" + }, + "fazlograte": { + "type": "long" + }, + "fctemssn": { + "ignore_above": 1024, + "type": "keyword" + }, + "fctuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "filefilter": { + "ignore_above": 1024, + "type": "keyword" + }, + "filehashsrc": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtercat": { + "ignore_above": 1024, + "type": "keyword" + }, + "filteridx": { + "type": "long" + }, + "filtername": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtertype": { + "ignore_above": 1024, + "type": "keyword" + }, + "fortiguardresp": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwardedfor": { + "ignore_above": 1024, + "type": "keyword" + }, + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "frametype": { + "ignore_above": 1024, + "type": "keyword" + }, + "freediskstorage": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "from_vcluster": { + "type": "long" + }, + "fsaverdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "fwserver_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "type": "ip" + }, + "green": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupid": { + "type": "long" + }, + "ha-prio": { + "type": "long" + }, + "ha_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "ha_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "handshake": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hbdn_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "highcount": { + "type": "long" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "iaid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "type": "long" + }, + "in_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentserialno": { + "type": "long" + }, + "infected": { + "type": "long" + }, + "infectedfilelevel": { + "type": "long" + }, + "informationsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "init": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "intf": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalidmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "iptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "keyword": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "lanin": { + "type": "long" + }, + "lanout": { + "type": "long" + }, + "lease": { + "type": "long" + }, + "license_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit": { + "type": "long" + }, + "line": { + "ignore_above": 1024, + "type": "keyword" + }, + "live": { + "type": "long" + }, + "local": { + "type": "ip" + }, + "log": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "ignore_above": 1024, + "type": "keyword" + }, + "lowcount": { + "type": "long" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "malform_data": { + "type": "long" + }, + "malform_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "manuf": { + "ignore_above": 1024, + "type": "keyword" + }, + "masterdstmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mastersrcmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mediumcount": { + "type": "long" + }, + "mem": { + "type": "long" + }, + "meshmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mgmtcnt": { + "type": "long" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-name": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mpsk": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "ignore_above": 1024, + "type": "keyword" + }, + "netid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "newchannel": { + "type": "long" + }, + "newchassisid": { + "type": "long" + }, + "newslot": { + "type": "long" + }, + "nextstat": { + "type": "long" + }, + "nf_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "noise": { + "type": "long" + }, + "old_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldchannel": { + "type": "long" + }, + "oldchassisid": { + "type": "long" + }, + "oldslot": { + "type": "long" + }, + "oldsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldwprof": { + "ignore_above": 1024, + "type": "keyword" + }, + "onwire": { + "ignore_above": 1024, + "type": "keyword" + }, + "opercountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "opertxpower": { + "type": "long" + }, + "osname": { + "ignore_above": 1024, + "type": "keyword" + }, + "osversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "outintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "passedcount": { + "type": "long" + }, + "passwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_notif": { + "ignore_above": 1024, + "type": "keyword" + }, + "phase2_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "policytype": { + "ignore_above": 1024, + "type": "keyword" + }, + "poolname": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "portbegin": { + "type": "long" + }, + "portend": { + "type": "long" + }, + "probeproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "processtime": { + "type": "long" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "profilegroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "profiletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtypeval": { + "type": "long" + }, + "quarskip": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaexceeded": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotamax": { + "type": "long" + }, + "quotatype": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaused": { + "type": "long" + }, + "radioband": { + "ignore_above": 1024, + "type": "keyword" + }, + "radioid": { + "type": "long" + }, + "radioidclosest": { + "type": "long" + }, + "radioiddetected": { + "type": "long" + }, + "rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdataid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcvddelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received": { + "type": "long" + }, + "receivedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "red": { + "ignore_above": 1024, + "type": "keyword" + }, + "referralurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote": { + "type": "ip" + }, + "remotewtptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "reporttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "reqtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "rssi": { + "type": "long" + }, + "rsso_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruledata": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanned": { + "type": "long" + }, + "scantime": { + "type": "long" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensitivity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor": { + "ignore_above": 1024, + "type": "keyword" + }, + "sentdelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "serialno": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "type": "long" + }, + "setuprate": { + "type": "long" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperdroprcvdbyte": { + "type": "long" + }, + "shaperdropsentbyte": { + "type": "long" + }, + "shaperperipdropbyte": { + "type": "long" + }, + "shaperperipname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperrcvdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapersentname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapingpolicyid": { + "type": "long" + }, + "signal": { + "type": "long" + }, + "size": { + "type": "long" + }, + "slot": { + "type": "long" + }, + "sn": { + "ignore_above": 1024, + "type": "keyword" + }, + "snclosest": { + "ignore_above": 1024, + "type": "keyword" + }, + "sndetected": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmeshparent": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "srccountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcname": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcserver": { + "type": "long" + }, + "srcssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sscname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssllocal": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslremote": { + "ignore_above": 1024, + "type": "keyword" + }, + "stacount": { + "type": "long" + }, + "stage": { + "ignore_above": 1024, + "type": "keyword" + }, + "stamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "stitch": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "submodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "subservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "suspicious": { + "type": "long" + }, + "switchproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sysuptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "tamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "threattype": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_vcluster": { + "type": "long" + }, + "total": { + "type": "long" + }, + "totalsession": { + "type": "long" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trandisp": { + "ignore_above": 1024, + "type": "keyword" + }, + "transid": { + "type": "long" + }, + "translationid": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "ignore_above": 1024, + "type": "keyword" + }, + "trueclntip": { + "type": "ip" + }, + "tunnelid": { + "type": "long" + }, + "tunnelip": { + "type": "ip" + }, + "tunneltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ui": { + "ignore_above": 1024, + "type": "keyword" + }, + "unauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "unit": { + "type": "long" + }, + "urlfilteridx": { + "type": "long" + }, + "urlfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "urltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "used_for_type": { + "type": "long" + }, + "utmaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "utmref": { + "ignore_above": 1024, + "type": "keyword" + }, + "vap": { + "ignore_above": 1024, + "type": "keyword" + }, + "vapmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "vcluster": { + "type": "long" + }, + "vcluster_member": { + "type": "long" + }, + "vcluster_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "vdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendorurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vip": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "virusid": { + "type": "long" + }, + "voip_proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntunnel": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntype": { + "ignore_above": 1024, + "type": "keyword" + }, + "vrf": { + "type": "long" + }, + "vulncat": { + "ignore_above": 1024, + "type": "keyword" + }, + "vulnid": { + "type": "long" + }, + "vulnname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlid": { + "type": "long" + }, + "vwlquality": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwpvlanid": { + "type": "long" + }, + "wanin": { + "type": "long" + }, + "wanoptapptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "wanout": { + "type": "long" + }, + "weakwepiv": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthuser": { + "ignore_above": 1024, + "type": "keyword" + }, + "xid": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/gcp.json b/salt/elasticsearch/templates/component/ecs/gcp.json new file mode 100644 index 000000000..5ac9dcbe4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/gcp.json @@ -0,0 +1,267 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "gcp": { + "properties": { + "audit": { + "properties": { + "authentication_info": { + "properties": { + "authority_selector": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_email": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "method_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "num_response_items": { + "type": "long" + }, + "request": { + "properties": { + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request_metadata": { + "properties": { + "caller_ip": { + "type": "ip" + }, + "caller_supplied_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_location": { + "properties": { + "current_locations": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "details": { + "properties": { + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "rule_details": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "vpcflow": { + "properties": { + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/google_workspace.json b/salt/elasticsearch/templates/component/ecs/google_workspace.json new file mode 100644 index 000000000..526bd9bb5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/google_workspace.json @@ -0,0 +1,750 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "google_workspace": { + "properties": { + "actor": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "admin": { + "properties": { + "alert": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "api": { + "properties": { + "client": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scopes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "application": { + "properties": { + "asp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "edition": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_order_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_purchased": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bulk_upload": { + "properties": { + "failed": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "chrome_licenses": { + "properties": { + "allowed": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "chrome_os": { + "properties": { + "session_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "device": { + "properties": { + "command_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "distribution": { + "properties": { + "entity": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "secondary_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "log_search_filter": { + "properties": { + "end_date": { + "type": "date" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start_date": { + "type": "date" + } + } + }, + "quarantine_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_dump": { + "properties": { + "include_deleted": { + "type": "boolean" + }, + "package_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_monitor": { + "properties": { + "dest_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "properties": { + "chat": { + "ignore_above": 1024, + "type": "keyword" + }, + "draft": { + "ignore_above": 1024, + "type": "keyword" + }, + "incoming": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "allowed_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "priorities": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "info_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mdm": { + "properties": { + "token": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mobile": { + "properties": { + "action": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "certificate": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "company_owned_devices": { + "type": "long" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "non_featured_services_selection": { + "ignore_above": 1024, + "type": "keyword" + }, + "oauth2": { + "properties": { + "application": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_unit": { + "properties": { + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "print_server": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "printer": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "privilege": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sku": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "role": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "setting": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "birthdate": { + "type": "date" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "nickname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_defined_setting": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "verification_method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "drive": { + "properties": { + "added_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "billable": { + "type": "boolean" + }, + "destination_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_shared_drive": { + "type": "boolean" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "membership_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "originating_app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_event": { + "type": "boolean" + }, + "removed_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_settings_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sheets_import_range_recipient_doc": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility_change": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "groups": { + "properties": { + "acl_permission": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "member": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "moderation_action": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "setting": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "properties": { + "affected_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "challenge_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_second_factor": { + "type": "boolean" + }, + "is_suspicious": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saml": { + "properties": { + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "orgunit_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_level_status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/group.json b/salt/elasticsearch/templates/component/ecs/group.json new file mode 100644 index 000000000..ed40b4d9f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/group.json @@ -0,0 +1,28 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/host.json b/salt/elasticsearch/templates/component/ecs/host.json new file mode 100644 index 000000000..cf69aad56 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/host.json @@ -0,0 +1,247 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/http.json b/salt/elasticsearch/templates/component/ecs/http.json new file mode 100644 index 000000000..d6164a191 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/http.json @@ -0,0 +1,87 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/juniper.json b/salt/elasticsearch/templates/component/ecs/juniper.json new file mode 100644 index 000000000..33a5f61d6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/juniper.json @@ -0,0 +1,378 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "juniper": { + "properties": { + "srx": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "apbr_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_characteristics": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_ip": { + "type": "ip" + }, + "connection_hit_rate": { + "type": "long" + }, + "connection_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_hit_rate": { + "type": "long" + }, + "context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_value_hit_rate": { + "type": "long" + }, + "ddos_application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dscp_value": { + "type": "long" + }, + "dst_nat_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_nat_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_vrf_grp": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed_time": { + "type": "date" + }, + "encrypted": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch_time": { + "type": "date" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "export_id": { + "type": "long" + }, + "feed_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_hash_lookup": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "type": "long" + }, + "inbound_bytes": { + "type": "long" + }, + "inbound_packets": { + "type": "long" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "logical_system_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_connection_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "nested_application": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj": { + "ignore_above": 1024, + "type": "keyword" + }, + "occur_count": { + "type": "long" + }, + "outbound_bytes": { + "type": "long" + }, + "outbound_packets": { + "type": "long" + }, + "packet_log_id": { + "type": "long" + }, + "peer_destination_address": { + "type": "ip" + }, + "peer_destination_port": { + "type": "long" + }, + "peer_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_source_address": { + "type": "ip" + }, + "peer_source_port": { + "type": "long" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "repeat_count": { + "type": "long" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing_instance": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleebase_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sample_sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "secure_web_proxy_session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id_32": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_nat_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_nat_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_vrf_grp": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "temporary_filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "th": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_count": { + "type": "long" + }, + "time_period": { + "type": "long" + }, + "time_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uplink_rx_bytes": { + "type": "long" + }, + "uplink_tx_bytes": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict_number": { + "type": "long" + }, + "verdict_source": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/kibana.json b/salt/elasticsearch/templates/component/ecs/kibana.json new file mode 100644 index 000000000..d1ea67de7 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/kibana.json @@ -0,0 +1,75 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "kibana": { + "properties": { + "add_to_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delete_from_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "meta": { + "type": "object" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lookup_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_object": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "space_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/log.json b/salt/elasticsearch/templates/component/ecs/log.json new file mode 100644 index 000000000..e79661b5e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/log.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/logstash.json b/salt/elasticsearch/templates/component/ecs/logstash.json new file mode 100644 index 000000000..ecfb17551 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/logstash.json @@ -0,0 +1,99 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "logstash": { + "properties": { + "log": { + "properties": { + "log_event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "event": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params_object": { + "type": "object" + }, + "plugin_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "took_in_millis": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/microsoft.json b/salt/elasticsearch/templates/component/ecs/microsoft.json new file mode 100644 index 000000000..512b99c79 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/microsoft.json @@ -0,0 +1,265 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "microsoft": { + "properties": { + "defender_atp": { + "properties": { + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "aadUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "type": "ip" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdateTime": { + "type": "date" + }, + "rbacGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "m365_defender": { + "properties": { + "alerts": { + "properties": { + "actorName": { + "ignore_above": 1024, + "type": "keyword" + }, + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "creationTime": { + "type": "date" + }, + "detectionSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "devices": { + "type": "flattened" + }, + "entities": { + "properties": { + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "clusterBy": { + "ignore_above": 1024, + "type": "keyword" + }, + "deliveryAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailboxAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailboxDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryHive": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryValueType": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sender": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdatedTime": { + "type": "date" + }, + "mitreTechniques": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + }, + "userSid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentName": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirectIncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/misp.json b/salt/elasticsearch/templates/component/ecs/misp.json new file mode 100644 index 000000000..8150371ec --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/misp.json @@ -0,0 +1,425 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "misp": { + "properties": { + "attack_pattern": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "campaign": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "objective": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "course_of_action": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "contact_information": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sectors": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "intrusion_set": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + } + } + }, + "malware": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "note": { + "properties": { + "authors": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "ignore_above": 1024, + "type": "keyword" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observed_data": { + "properties": { + "first_observed": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_observed": { + "type": "date" + }, + "number_observed": { + "type": "long" + }, + "objects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "report": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "norms": false, + "type": "text" + }, + "published": { + "type": "date" + } + } + }, + "threat_actor": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "personal_motivations": { + "norms": false, + "type": "text" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "roles": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + }, + "sophistication": { + "norms": false, + "type": "text" + } + } + }, + "threat_indicator": { + "properties": { + "attack_pattern": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_pattern_kql": { + "ignore_above": 1024, + "type": "keyword" + }, + "campaign": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "feed": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "intrusion_set": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_tactic": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_technique": { + "ignore_above": 1024, + "type": "keyword" + }, + "negate": { + "type": "boolean" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_actor": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "valid_from": { + "type": "date" + }, + "valid_until": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "norms": false, + "type": "text" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tool_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/netflow.json b/salt/elasticsearch/templates/component/ecs/netflow.json new file mode 100644 index 000000000..10f34c3d4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/netflow.json @@ -0,0 +1,1423 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "netflow": { + "properties": { + "absolute_error": { + "type": "double" + }, + "address_pool_high_threshold": { + "type": "long" + }, + "address_pool_low_threshold": { + "type": "long" + }, + "address_port_mapping_high_threshold": { + "type": "long" + }, + "address_port_mapping_low_threshold": { + "type": "long" + }, + "address_port_mapping_per_user_high_threshold": { + "type": "long" + }, + "anonymization_flags": { + "type": "long" + }, + "anonymization_technique": { + "type": "long" + }, + "application_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_id": { + "type": "short" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bgp_destination_as_number": { + "type": "long" + }, + "bgp_next_adjacent_as_number": { + "type": "long" + }, + "bgp_next_hop_ipv4_address": { + "type": "ip" + }, + "bgp_next_hop_ipv6_address": { + "type": "ip" + }, + "bgp_prev_adjacent_as_number": { + "type": "long" + }, + "bgp_source_as_number": { + "type": "long" + }, + "bgp_validity_state": { + "type": "short" + }, + "biflow_direction": { + "type": "short" + }, + "class_id": { + "type": "long" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_engine_id": { + "type": "short" + }, + "collection_time_milliseconds": { + "type": "date" + }, + "collector_certificate": { + "type": "short" + }, + "collector_ipv4_address": { + "type": "ip" + }, + "collector_ipv6_address": { + "type": "ip" + }, + "collector_transport_port": { + "type": "long" + }, + "common_properties_id": { + "type": "long" + }, + "confidence_level": { + "type": "double" + }, + "connection_sum_duration_seconds": { + "type": "long" + }, + "connection_transaction_id": { + "type": "long" + }, + "data_link_frame_section": { + "type": "short" + }, + "data_link_frame_size": { + "type": "long" + }, + "data_link_frame_type": { + "type": "long" + }, + "data_records_reliability": { + "type": "boolean" + }, + "delta_flow_count": { + "type": "long" + }, + "destination_ipv4_address": { + "type": "ip" + }, + "destination_ipv4_prefix": { + "type": "ip" + }, + "destination_ipv4_prefix_length": { + "type": "short" + }, + "destination_ipv6_address": { + "type": "ip" + }, + "destination_ipv6_prefix": { + "type": "ip" + }, + "destination_ipv6_prefix_length": { + "type": "short" + }, + "destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_transport_port": { + "type": "long" + }, + "digest_hash_value": { + "type": "long" + }, + "distinct_count_of_destination_ip_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv4_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv6_address": { + "type": "long" + }, + "distinct_count_of_source_ip_address": { + "type": "long" + }, + "distinct_count_of_source_ipv4_address": { + "type": "long" + }, + "distinct_count_of_source_ipv6_address": { + "type": "long" + }, + "dot1q_customer_dei": { + "type": "boolean" + }, + "dot1q_customer_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_priority": { + "type": "short" + }, + "dot1q_customer_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_vlan_id": { + "type": "long" + }, + "dot1q_dei": { + "type": "boolean" + }, + "dot1q_priority": { + "type": "short" + }, + "dot1q_service_instance_id": { + "type": "long" + }, + "dot1q_service_instance_priority": { + "type": "short" + }, + "dot1q_service_instance_tag": { + "type": "short" + }, + "dot1q_vlan_id": { + "type": "long" + }, + "dropped_layer2_octet_delta_count": { + "type": "long" + }, + "dropped_layer2_octet_total_count": { + "type": "long" + }, + "dropped_octet_delta_count": { + "type": "long" + }, + "dropped_octet_total_count": { + "type": "long" + }, + "dropped_packet_delta_count": { + "type": "long" + }, + "dropped_packet_total_count": { + "type": "long" + }, + "dst_traffic_index": { + "type": "long" + }, + "egress_broadcast_packet_total_count": { + "type": "long" + }, + "egress_interface": { + "type": "long" + }, + "egress_interface_type": { + "type": "long" + }, + "egress_physical_interface": { + "type": "long" + }, + "egress_unicast_packet_total_count": { + "type": "long" + }, + "egress_vrfid": { + "type": "long" + }, + "encrypted_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine_id": { + "type": "short" + }, + "engine_type": { + "type": "short" + }, + "ethernet_header_length": { + "type": "short" + }, + "ethernet_payload_length": { + "type": "long" + }, + "ethernet_total_length": { + "type": "long" + }, + "ethernet_type": { + "type": "long" + }, + "export_interface": { + "type": "long" + }, + "export_protocol_version": { + "type": "short" + }, + "export_sctp_stream_id": { + "type": "long" + }, + "export_transport_protocol": { + "type": "short" + }, + "exported_flow_record_total_count": { + "type": "long" + }, + "exported_message_total_count": { + "type": "long" + }, + "exported_octet_total_count": { + "type": "long" + }, + "exporter": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_id": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "uptime_millis": { + "type": "long" + }, + "version": { + "type": "long" + } + } + }, + "exporter_certificate": { + "type": "short" + }, + "exporter_ipv4_address": { + "type": "ip" + }, + "exporter_ipv6_address": { + "type": "ip" + }, + "exporter_transport_port": { + "type": "long" + }, + "exporting_process_id": { + "type": "long" + }, + "external_address_realm": { + "type": "short" + }, + "firewall_event": { + "type": "short" + }, + "flags_and_sampler_id": { + "type": "long" + }, + "flow_active_timeout": { + "type": "long" + }, + "flow_direction": { + "type": "short" + }, + "flow_duration_microseconds": { + "type": "long" + }, + "flow_duration_milliseconds": { + "type": "long" + }, + "flow_end_delta_microseconds": { + "type": "long" + }, + "flow_end_microseconds": { + "type": "date" + }, + "flow_end_milliseconds": { + "type": "date" + }, + "flow_end_nanoseconds": { + "type": "date" + }, + "flow_end_reason": { + "type": "short" + }, + "flow_end_seconds": { + "type": "date" + }, + "flow_end_sys_up_time": { + "type": "long" + }, + "flow_id": { + "type": "long" + }, + "flow_idle_timeout": { + "type": "long" + }, + "flow_key_indicator": { + "type": "long" + }, + "flow_label_ipv6": { + "type": "long" + }, + "flow_sampling_time_interval": { + "type": "long" + }, + "flow_sampling_time_spacing": { + "type": "long" + }, + "flow_selected_flow_delta_count": { + "type": "long" + }, + "flow_selected_octet_delta_count": { + "type": "long" + }, + "flow_selected_packet_delta_count": { + "type": "long" + }, + "flow_selector_algorithm": { + "type": "long" + }, + "flow_start_delta_microseconds": { + "type": "long" + }, + "flow_start_microseconds": { + "type": "date" + }, + "flow_start_milliseconds": { + "type": "date" + }, + "flow_start_nanoseconds": { + "type": "date" + }, + "flow_start_seconds": { + "type": "date" + }, + "flow_start_sys_up_time": { + "type": "long" + }, + "forwarding_status": { + "type": "short" + }, + "fragment_flags": { + "type": "short" + }, + "fragment_identification": { + "type": "long" + }, + "fragment_offset": { + "type": "long" + }, + "global_address_mapping_high_threshold": { + "type": "long" + }, + "gre_key": { + "type": "long" + }, + "hash_digest_output": { + "type": "boolean" + }, + "hash_flow_domain": { + "type": "long" + }, + "hash_initialiser_value": { + "type": "long" + }, + "hash_ip_payload_offset": { + "type": "long" + }, + "hash_ip_payload_size": { + "type": "long" + }, + "hash_output_range_max": { + "type": "long" + }, + "hash_output_range_min": { + "type": "long" + }, + "hash_selected_range_max": { + "type": "long" + }, + "hash_selected_range_min": { + "type": "long" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_message_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status_code": { + "type": "long" + }, + "http_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code_ipv4": { + "type": "short" + }, + "icmp_code_ipv6": { + "type": "short" + }, + "icmp_type_code_ipv4": { + "type": "long" + }, + "icmp_type_code_ipv6": { + "type": "long" + }, + "icmp_type_ipv4": { + "type": "short" + }, + "icmp_type_ipv6": { + "type": "short" + }, + "igmp_type": { + "type": "short" + }, + "ignored_data_record_total_count": { + "type": "long" + }, + "ignored_layer2_frame_total_count": { + "type": "long" + }, + "ignored_layer2_octet_total_count": { + "type": "long" + }, + "ignored_octet_total_count": { + "type": "long" + }, + "ignored_packet_total_count": { + "type": "long" + }, + "information_element_data_type": { + "type": "short" + }, + "information_element_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_id": { + "type": "long" + }, + "information_element_index": { + "type": "long" + }, + "information_element_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_range_begin": { + "type": "long" + }, + "information_element_range_end": { + "type": "long" + }, + "information_element_semantics": { + "type": "short" + }, + "information_element_units": { + "type": "long" + }, + "ingress_broadcast_packet_total_count": { + "type": "long" + }, + "ingress_interface": { + "type": "long" + }, + "ingress_interface_type": { + "type": "long" + }, + "ingress_multicast_packet_total_count": { + "type": "long" + }, + "ingress_physical_interface": { + "type": "long" + }, + "ingress_unicast_packet_total_count": { + "type": "long" + }, + "ingress_vrfid": { + "type": "long" + }, + "initiator_octets": { + "type": "long" + }, + "initiator_packets": { + "type": "long" + }, + "interface_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "intermediate_process_id": { + "type": "long" + }, + "internal_address_realm": { + "type": "short" + }, + "ip_class_of_service": { + "type": "short" + }, + "ip_diff_serv_code_point": { + "type": "short" + }, + "ip_header_length": { + "type": "short" + }, + "ip_header_packet_section": { + "type": "short" + }, + "ip_next_hop_ipv4_address": { + "type": "ip" + }, + "ip_next_hop_ipv6_address": { + "type": "ip" + }, + "ip_payload_length": { + "type": "long" + }, + "ip_payload_packet_section": { + "type": "short" + }, + "ip_precedence": { + "type": "short" + }, + "ip_sec_spi": { + "type": "long" + }, + "ip_total_length": { + "type": "long" + }, + "ip_ttl": { + "type": "short" + }, + "ip_version": { + "type": "short" + }, + "ipv4_ihl": { + "type": "short" + }, + "ipv4_options": { + "type": "long" + }, + "ipv4_router_sc": { + "type": "ip" + }, + "ipv6_extension_headers": { + "type": "long" + }, + "is_multicast": { + "type": "short" + }, + "layer2_frame_delta_count": { + "type": "long" + }, + "layer2_frame_total_count": { + "type": "long" + }, + "layer2_octet_delta_count": { + "type": "long" + }, + "layer2_octet_delta_sum_of_squares": { + "type": "long" + }, + "layer2_octet_total_count": { + "type": "long" + }, + "layer2_octet_total_sum_of_squares": { + "type": "long" + }, + "layer2_segment_id": { + "type": "long" + }, + "layer2packet_section_data": { + "type": "short" + }, + "layer2packet_section_offset": { + "type": "long" + }, + "layer2packet_section_size": { + "type": "long" + }, + "line_card_id": { + "type": "long" + }, + "lower_ci_limit": { + "type": "double" + }, + "max_bib_entries": { + "type": "long" + }, + "max_entries_per_user": { + "type": "long" + }, + "max_export_seconds": { + "type": "date" + }, + "max_flow_end_microseconds": { + "type": "date" + }, + "max_flow_end_milliseconds": { + "type": "date" + }, + "max_flow_end_nanoseconds": { + "type": "date" + }, + "max_flow_end_seconds": { + "type": "date" + }, + "max_fragments_pending_reassembly": { + "type": "long" + }, + "max_session_entries": { + "type": "long" + }, + "max_subscribers": { + "type": "long" + }, + "maximum_ip_total_length": { + "type": "long" + }, + "maximum_layer2_total_length": { + "type": "long" + }, + "maximum_ttl": { + "type": "short" + }, + "message_md5_checksum": { + "type": "short" + }, + "message_scope": { + "type": "short" + }, + "metering_process_id": { + "type": "long" + }, + "metro_evc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "metro_evc_type": { + "type": "short" + }, + "mib_capture_time_semantics": { + "type": "short" + }, + "mib_context_engine_id": { + "type": "short" + }, + "mib_context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_index_indicator": { + "type": "long" + }, + "mib_module_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_identifier": { + "type": "short" + }, + "mib_object_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_syntax": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_value_bits": { + "type": "short" + }, + "mib_object_value_counter": { + "type": "long" + }, + "mib_object_value_gauge": { + "type": "long" + }, + "mib_object_value_integer": { + "type": "long" + }, + "mib_object_value_ip_address": { + "type": "ip" + }, + "mib_object_value_octet_string": { + "type": "short" + }, + "mib_object_value_oid": { + "type": "short" + }, + "mib_object_value_time_ticks": { + "type": "long" + }, + "mib_object_value_unsigned": { + "type": "long" + }, + "mib_sub_identifier": { + "type": "long" + }, + "min_export_seconds": { + "type": "date" + }, + "min_flow_start_microseconds": { + "type": "date" + }, + "min_flow_start_milliseconds": { + "type": "date" + }, + "min_flow_start_nanoseconds": { + "type": "date" + }, + "min_flow_start_seconds": { + "type": "date" + }, + "minimum_ip_total_length": { + "type": "long" + }, + "minimum_layer2_total_length": { + "type": "long" + }, + "minimum_ttl": { + "type": "short" + }, + "mobile_imsi": { + "ignore_above": 1024, + "type": "keyword" + }, + "mobile_msisdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitoring_interval_end_milli_seconds": { + "type": "date" + }, + "monitoring_interval_start_milli_seconds": { + "type": "date" + }, + "mpls_label_stack_depth": { + "type": "long" + }, + "mpls_label_stack_length": { + "type": "long" + }, + "mpls_label_stack_section": { + "type": "short" + }, + "mpls_label_stack_section10": { + "type": "short" + }, + "mpls_label_stack_section2": { + "type": "short" + }, + "mpls_label_stack_section3": { + "type": "short" + }, + "mpls_label_stack_section4": { + "type": "short" + }, + "mpls_label_stack_section5": { + "type": "short" + }, + "mpls_label_stack_section6": { + "type": "short" + }, + "mpls_label_stack_section7": { + "type": "short" + }, + "mpls_label_stack_section8": { + "type": "short" + }, + "mpls_label_stack_section9": { + "type": "short" + }, + "mpls_payload_length": { + "type": "long" + }, + "mpls_payload_packet_section": { + "type": "short" + }, + "mpls_top_label_exp": { + "type": "short" + }, + "mpls_top_label_ipv4_address": { + "type": "ip" + }, + "mpls_top_label_ipv6_address": { + "type": "ip" + }, + "mpls_top_label_prefix_length": { + "type": "short" + }, + "mpls_top_label_stack_section": { + "type": "short" + }, + "mpls_top_label_ttl": { + "type": "short" + }, + "mpls_top_label_type": { + "type": "short" + }, + "mpls_vpn_route_distinguisher": { + "type": "short" + }, + "multicast_replication_factor": { + "type": "long" + }, + "nat_event": { + "type": "short" + }, + "nat_instance_id": { + "type": "long" + }, + "nat_originating_address_realm": { + "type": "short" + }, + "nat_pool_id": { + "type": "long" + }, + "nat_pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_quota_exceeded_event": { + "type": "long" + }, + "nat_threshold_event": { + "type": "long" + }, + "nat_type": { + "type": "short" + }, + "new_connection_delta_count": { + "type": "long" + }, + "next_header_ipv6": { + "type": "short" + }, + "not_sent_flow_total_count": { + "type": "long" + }, + "not_sent_layer2_octet_total_count": { + "type": "long" + }, + "not_sent_octet_total_count": { + "type": "long" + }, + "not_sent_packet_total_count": { + "type": "long" + }, + "observation_domain_id": { + "type": "long" + }, + "observation_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observation_point_id": { + "type": "long" + }, + "observation_point_type": { + "type": "short" + }, + "observation_time_microseconds": { + "type": "date" + }, + "observation_time_milliseconds": { + "type": "date" + }, + "observation_time_nanoseconds": { + "type": "date" + }, + "observation_time_seconds": { + "type": "date" + }, + "observed_flow_total_count": { + "type": "long" + }, + "octet_delta_count": { + "type": "long" + }, + "octet_delta_sum_of_squares": { + "type": "long" + }, + "octet_total_count": { + "type": "long" + }, + "octet_total_sum_of_squares": { + "type": "long" + }, + "opaque_octets": { + "type": "short" + }, + "original_exporter_ipv4_address": { + "type": "ip" + }, + "original_exporter_ipv6_address": { + "type": "ip" + }, + "original_flows_completed": { + "type": "long" + }, + "original_flows_initiated": { + "type": "long" + }, + "original_flows_present": { + "type": "long" + }, + "original_observation_domain_id": { + "type": "long" + }, + "p2p_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_delta_count": { + "type": "long" + }, + "packet_total_count": { + "type": "long" + }, + "padding_octets": { + "type": "short" + }, + "payload_length_ipv6": { + "type": "long" + }, + "port_id": { + "type": "long" + }, + "port_range_end": { + "type": "long" + }, + "port_range_num_ports": { + "type": "long" + }, + "port_range_start": { + "type": "long" + }, + "port_range_step_size": { + "type": "long" + }, + "post_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_dot1q_customer_vlan_id": { + "type": "long" + }, + "post_dot1q_vlan_id": { + "type": "long" + }, + "post_ip_class_of_service": { + "type": "short" + }, + "post_ip_diff_serv_code_point": { + "type": "short" + }, + "post_ip_precedence": { + "type": "short" + }, + "post_layer2_octet_delta_count": { + "type": "long" + }, + "post_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_layer2_octet_delta_count": { + "type": "long" + }, + "post_mcast_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_octet_delta_count": { + "type": "long" + }, + "post_mcast_octet_total_count": { + "type": "long" + }, + "post_mcast_packet_delta_count": { + "type": "long" + }, + "post_mcast_packet_total_count": { + "type": "long" + }, + "post_mpls_top_label_exp": { + "type": "short" + }, + "post_napt_destination_transport_port": { + "type": "long" + }, + "post_napt_source_transport_port": { + "type": "long" + }, + "post_nat_destination_ipv4_address": { + "type": "ip" + }, + "post_nat_destination_ipv6_address": { + "type": "ip" + }, + "post_nat_source_ipv4_address": { + "type": "ip" + }, + "post_nat_source_ipv6_address": { + "type": "ip" + }, + "post_octet_delta_count": { + "type": "long" + }, + "post_octet_total_count": { + "type": "long" + }, + "post_packet_delta_count": { + "type": "long" + }, + "post_packet_total_count": { + "type": "long" + }, + "post_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_vlan_id": { + "type": "long" + }, + "private_enterprise_number": { + "type": "long" + }, + "protocol_identifier": { + "type": "short" + }, + "pseudo_wire_control_word": { + "type": "long" + }, + "pseudo_wire_destination_ipv4_address": { + "type": "ip" + }, + "pseudo_wire_id": { + "type": "long" + }, + "pseudo_wire_type": { + "type": "long" + }, + "relative_error": { + "type": "double" + }, + "responder_octets": { + "type": "long" + }, + "responder_packets": { + "type": "long" + }, + "rfc3550_jitter_microseconds": { + "type": "long" + }, + "rfc3550_jitter_milliseconds": { + "type": "long" + }, + "rfc3550_jitter_nanoseconds": { + "type": "long" + }, + "rtp_sequence_number": { + "type": "long" + }, + "sampler_id": { + "type": "short" + }, + "sampler_mode": { + "type": "short" + }, + "sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sampler_random_interval": { + "type": "long" + }, + "sampling_algorithm": { + "type": "short" + }, + "sampling_flow_interval": { + "type": "long" + }, + "sampling_flow_spacing": { + "type": "long" + }, + "sampling_interval": { + "type": "long" + }, + "sampling_packet_interval": { + "type": "long" + }, + "sampling_packet_space": { + "type": "long" + }, + "sampling_population": { + "type": "long" + }, + "sampling_probability": { + "type": "double" + }, + "sampling_size": { + "type": "long" + }, + "sampling_time_interval": { + "type": "long" + }, + "sampling_time_space": { + "type": "long" + }, + "section_exported_octets": { + "type": "long" + }, + "section_offset": { + "type": "long" + }, + "selection_sequence_id": { + "type": "long" + }, + "selector_algorithm": { + "type": "long" + }, + "selector_id": { + "type": "long" + }, + "selector_id_total_flows_observed": { + "type": "long" + }, + "selector_id_total_flows_selected": { + "type": "long" + }, + "selector_id_total_pkts_observed": { + "type": "long" + }, + "selector_id_total_pkts_selected": { + "type": "long" + }, + "selector_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_scope": { + "type": "short" + }, + "source_ipv4_address": { + "type": "ip" + }, + "source_ipv4_prefix": { + "type": "ip" + }, + "source_ipv4_prefix_length": { + "type": "short" + }, + "source_ipv6_address": { + "type": "ip" + }, + "source_ipv6_prefix": { + "type": "ip" + }, + "source_ipv6_prefix_length": { + "type": "short" + }, + "source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_transport_port": { + "type": "long" + }, + "source_transport_ports_limit": { + "type": "long" + }, + "src_traffic_index": { + "type": "long" + }, + "sta_ipv4_address": { + "type": "ip" + }, + "sta_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_init_time_milliseconds": { + "type": "date" + }, + "tcp_ack_total_count": { + "type": "long" + }, + "tcp_acknowledgement_number": { + "type": "long" + }, + "tcp_control_bits": { + "type": "long" + }, + "tcp_destination_port": { + "type": "long" + }, + "tcp_fin_total_count": { + "type": "long" + }, + "tcp_header_length": { + "type": "short" + }, + "tcp_options": { + "type": "long" + }, + "tcp_psh_total_count": { + "type": "long" + }, + "tcp_rst_total_count": { + "type": "long" + }, + "tcp_sequence_number": { + "type": "long" + }, + "tcp_source_port": { + "type": "long" + }, + "tcp_syn_total_count": { + "type": "long" + }, + "tcp_urg_total_count": { + "type": "long" + }, + "tcp_urgent_pointer": { + "type": "long" + }, + "tcp_window_scale": { + "type": "long" + }, + "tcp_window_size": { + "type": "long" + }, + "template_id": { + "type": "long" + }, + "total_length_ipv4": { + "type": "long" + }, + "transport_octet_delta_count": { + "type": "long" + }, + "transport_packet_delta_count": { + "type": "long" + }, + "tunnel_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "udp_destination_port": { + "type": "long" + }, + "udp_message_length": { + "type": "long" + }, + "udp_source_port": { + "type": "long" + }, + "upper_ci_limit": { + "type": "double" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "value_distribution_method": { + "type": "short" + }, + "virtual_station_interface_id": { + "type": "short" + }, + "virtual_station_interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_uuid": { + "type": "short" + }, + "vlan_id": { + "type": "long" + }, + "vpn_identifier": { + "type": "short" + }, + "vr_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel_id": { + "type": "short" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "wtp_mac_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/network.json b/salt/elasticsearch/templates/component/ecs/network.json new file mode 100644 index 000000000..c2e35efd0 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/network.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/o365.json b/salt/elasticsearch/templates/component/ecs/o365.json new file mode 100644 index 000000000..d1bdb29b1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/o365.json @@ -0,0 +1,445 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "o365": { + "properties": { + "audit": { + "properties": { + "AADGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorIpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorYammerUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertEntityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AzureActiveDirectoryEventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIP": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIPAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfoString": { + "ignore_above": 1024, + "type": "keyword" + }, + "Comments": { + "norms": false, + "type": "text" + }, + "CommunicationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorrelationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CustomUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Data": { + "ignore_above": 1024, + "type": "keyword" + }, + "DataType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DoNotDistributeEvent": { + "type": "boolean" + }, + "EntityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ErrorNumber": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventData": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExceptionInfo": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExchangeMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExtendedProperties": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExternalAccess": { + "ignore_above": 1024, + "type": "keyword" + }, + "FromApp": { + "type": "boolean" + }, + "GroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImplicitShare": { + "ignore_above": 1024, + "type": "keyword" + }, + "IncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InterSystemsId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InternalLogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntraSystemId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IsDocLib": { + "type": "boolean" + }, + "Item": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + }, + "type": "object" + } + } + }, + "ItemCount": { + "type": "long" + }, + "ItemName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ItemType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListBaseTemplateType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListBaseType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListColor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListIcon": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListItemUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListTitle": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonError": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerMasterAccountSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerUPN": { + "ignore_above": 1024, + "type": "keyword" + }, + "Members": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ModifiedProperties": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + } + } + } + }, + "Name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginatingServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "Parameters": { + "properties": { + "*": { + "type": "object" + } + } + }, + "PolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "RecordType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ResultStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "SensitiveInfoDetectionIsIncluded": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "SharePointMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "Site": { + "ignore_above": 1024, + "type": "keyword" + }, + "SiteUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Source": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileExtension": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceRelativeUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "SupportTicketId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TemplateTypeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UniqueSharingId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAgent": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "WebId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workload": { + "ignore_above": 1024, + "type": "keyword" + }, + "YammerNetworkId": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/observer.json b/salt/elasticsearch/templates/component/ecs/observer.json new file mode 100644 index 000000000..ecd3b1155 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/observer.json @@ -0,0 +1,214 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/okta.json b/salt/elasticsearch/templates/component/ecs/okta.json new file mode 100644 index 000000000..dcfaab1c2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/okta.json @@ -0,0 +1,293 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "okta": { + "properties": { + "actor": { + "properties": { + "alternate_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "authentication_context": { + "properties": { + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_step": { + "type": "long" + }, + "credential_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "credential_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user_agent": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "debug_context": { + "properties": { + "debug_data": { + "properties": { + "device_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "suspicious_activity": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_city": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_ip": { + "type": "ip" + }, + "event_latitude": { + "type": "float" + }, + "event_longitude": { + "type": "float" + }, + "event_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + } + } + }, + "threat_suspected": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "display_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "ip_chain": { + "properties": { + "geographical_context": { + "properties": { + "city": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "geolocation": { + "type": "geo_point" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "security_context": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_proxy": { + "type": "boolean" + }, + "isp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "type": "flattened" + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/orchestrator.json b/salt/elasticsearch/templates/component/ecs/orchestrator.json new file mode 100644 index 000000000..87f2af201 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/orchestrator.json @@ -0,0 +1,60 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/organization.json b/salt/elasticsearch/templates/component/ecs/organization.json new file mode 100644 index 000000000..b0ea050fa --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/organization.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/package.json b/salt/elasticsearch/templates/component/ecs/package.json new file mode 100644 index 000000000..b726f8f7f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/package.json @@ -0,0 +1,66 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/process.json b/salt/elasticsearch/templates/component/ecs/process.json new file mode 100644 index 000000000..a95fe6bba --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/process.json @@ -0,0 +1,612 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/redis.json b/salt/elasticsearch/templates/component/ecs/redis.json new file mode 100644 index 000000000..925f55c62 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/redis.json @@ -0,0 +1,50 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "redis": { + "properties": { + "log": { + "properties": { + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/registry.json b/salt/elasticsearch/templates/component/ecs/registry.json new file mode 100644 index 000000000..7cfa34ad6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/registry.json @@ -0,0 +1,47 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/related.json b/salt/elasticsearch/templates/component/ecs/related.json new file mode 100644 index 000000000..1af1593c8 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/related.json @@ -0,0 +1,31 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/rule.json b/salt/elasticsearch/templates/component/ecs/rule.json new file mode 100644 index 000000000..400c64f6d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/rule.json @@ -0,0 +1,56 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/server.json b/salt/elasticsearch/templates/component/ecs/server.json new file mode 100644 index 000000000..a7587e954 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/server.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/service.json b/salt/elasticsearch/templates/component/ecs/service.json new file mode 100644 index 000000000..2fbdad6d4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/service.json @@ -0,0 +1,56 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json new file mode 100644 index 000000000..c0c583e5f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/snyk.json @@ -0,0 +1,149 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "snyk": { + "properties": { + "audit": { + "properties": { + "content": { + "type": "flattened" + }, + "org_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "project_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "projects": { + "type": "flattened" + }, + "related": { + "properties": { + "projects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerabilities": { + "properties": { + "credit": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss3": { + "ignore_above": 1024, + "type": "keyword" + }, + "disclosure_time": { + "type": "date" + }, + "exploit_maturity": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifiers": { + "properties": { + "alternative": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "introduced_date": { + "type": "date" + }, + "is_fixed": { + "type": "boolean" + }, + "is_ignored": { + "type": "boolean" + }, + "is_patchable": { + "type": "boolean" + }, + "is_patched": { + "type": "boolean" + }, + "is_pinnable": { + "type": "boolean" + }, + "is_upgradable": { + "type": "boolean" + }, + "jira_issue_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_severity": { + "type": "long" + }, + "package": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_manager": { + "ignore_above": 1024, + "type": "keyword" + }, + "patches": { + "type": "flattened" + }, + "priority_score": { + "type": "long" + }, + "publication_time": { + "type": "date" + }, + "reachability": { + "ignore_above": 1024, + "type": "keyword" + }, + "semver": { + "type": "flattened" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_severities_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/sophos.json b/salt/elasticsearch/templates/component/ecs/sophos.json new file mode 100644 index 000000000..a5606f962 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/sophos.json @@ -0,0 +1,722 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "sophos": { + "properties": { + "xg": { + "properties": { + "Configuration": { + "type": "float" + }, + "Mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "PHPSESSID": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reports": { + "type": "float" + }, + "Signature": { + "type": "float" + }, + "SysLog_SERVER_NAME": { + "ignore_above": 1024, + "type": "keyword" + }, + "Temp": { + "type": "float" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activityname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_is_cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "appfilter_policy_id": { + "type": "long" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_filter_policy": { + "type": "long" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "appresolvedby": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_client": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_mechanism": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backup_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "branch_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "category_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_physical_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "clients_conn_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "collisions": { + "type": "long" + }, + "con_id": { + "type": "long" + }, + "conn_id": { + "type": "long" + }, + "connectionname": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectiontype": { + "ignore_above": 1024, + "type": "keyword" + }, + "connevent": { + "ignore_above": 1024, + "type": "keyword" + }, + "connid": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_match": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_prefix": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "destinationip": { + "type": "ip" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dictionary_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dir_disp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_ip": { + "type": "ip" + }, + "dst_port": { + "type": "long" + }, + "dstdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ep_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtime": { + "type": "date" + }, + "eventtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "exceptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "execution_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "extra": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesize": { + "type": "long" + }, + "free": { + "type": "long" + }, + "from_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftpcommand": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_rule_id": { + "type": "long" + }, + "hb_health": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "httpresponsecode": { + "type": "long" + }, + "iap": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "idle_cpu": { + "type": "float" + }, + "idp_policy_id": { + "type": "long" + }, + "idp_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipaddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ips_policy_id": { + "type": "long" + }, + "localgateway": { + "ignore_above": 1024, + "type": "keyword" + }, + "localnetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_component": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "login_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailsize": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "newversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_authorizer": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_token": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "querystring": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received_pkts": { + "type": "long" + }, + "receiveddrops": { + "type": "long" + }, + "receivederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "receivedkbits": { + "type": "long" + }, + "recv_bytes": { + "type": "long" + }, + "red_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remotenetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "responsetime": { + "type": "long" + }, + "rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "sent_bytes": { + "type": "long" + }, + "sent_pkts": { + "type": "long" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1sum": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceip": { + "type": "ip" + }, + "spamaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "sqli": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_ip": { + "type": "ip" + }, + "src_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_port": { + "type": "long" + }, + "srczone": { + "ignore_above": 1024, + "type": "keyword" + }, + "srczonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "starttime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_cpu": { + "type": "float" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatname": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_memory": { + "type": "long" + }, + "trans_dst_ip": { + "type": "ip" + }, + "trans_dst_port": { + "type": "long" + }, + "trans_src_ip": { + "type": "ip" + }, + "trans_src_port": { + "type": "long" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "transactionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmitteddrops": { + "type": "long" + }, + "transmittederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmittedkbits": { + "type": "long" + }, + "unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "updatedip": { + "type": "ip" + }, + "upload_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "upload_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_cpu": { + "type": "float" + }, + "user_gp": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "users": { + "ignore_above": 1024, + "type": "keyword" + }, + "vconn_id": { + "type": "long" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "website": { + "ignore_above": 1024, + "type": "keyword" + }, + "xss": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/source.json b/salt/elasticsearch/templates/component/ecs/source.json new file mode 100644 index 000000000..9408e0133 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/source.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/suricata.json b/salt/elasticsearch/templates/component/ecs/suricata.json new file mode 100644 index 000000000..d824294e9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/suricata.json @@ -0,0 +1,850 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "suricata": { + "properties": { + "eve": { + "properties": { + "alert": { + "properties": { + "affected_product": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "capec_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "deployment": { + "ignore_above": 1024, + "type": "keyword" + }, + "former_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "type": "long" + }, + "hostile": { + "ignore_above": 1024, + "type": "keyword" + }, + "infected": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "flattened" + }, + "mitre_tool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocols": { + "ignore_above": 1024, + "type": "keyword" + }, + "rev": { + "type": "long" + }, + "rule_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "type": "long" + }, + "signature_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + } + } + }, + "app_proto_expected": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_ts": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns": { + "properties": { + "id": { + "type": "long" + }, + "rcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrname": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "tx_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileinfo": { + "properties": { + "gaps": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stored": { + "type": "boolean" + }, + "tx_id": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "age": { + "type": "long" + }, + "alerted": { + "type": "boolean" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "in_iface": { + "ignore_above": 1024, + "type": "keyword" + }, + "pcap_cnt": { + "type": "long" + }, + "smtp": { + "properties": { + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ssh": { + "properties": { + "client": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stats": { + "properties": { + "app_layer": { + "properties": { + "flow": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "failed_tcp": { + "type": "long" + }, + "failed_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "imap": { + "type": "long" + }, + "msn": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + }, + "tx": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + } + } + }, + "capture": { + "properties": { + "kernel_drops": { + "type": "long" + }, + "kernel_ifdrops": { + "type": "long" + }, + "kernel_packets": { + "type": "long" + } + } + }, + "decoder": { + "properties": { + "avg_pkt_size": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "dce": { + "properties": { + "pkt_too_small": { + "type": "long" + } + } + }, + "erspan": { + "type": "long" + }, + "ethernet": { + "type": "long" + }, + "gre": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "ieee8021ah": { + "type": "long" + }, + "invalid": { + "type": "long" + }, + "ipraw": { + "properties": { + "invalid_ip_version": { + "type": "long" + } + } + }, + "ipv4": { + "type": "long" + }, + "ipv4_in_ipv6": { + "type": "long" + }, + "ipv6": { + "type": "long" + }, + "ipv6_in_ipv6": { + "type": "long" + }, + "ltnull": { + "properties": { + "pkt_too_small": { + "type": "long" + }, + "unsupported_type": { + "type": "long" + } + } + }, + "max_pkt_size": { + "type": "long" + }, + "mpls": { + "type": "long" + }, + "null": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "ppp": { + "type": "long" + }, + "pppoe": { + "type": "long" + }, + "raw": { + "type": "long" + }, + "sctp": { + "type": "long" + }, + "sll": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "teredo": { + "type": "long" + }, + "udp": { + "type": "long" + }, + "vlan": { + "type": "long" + }, + "vlan_qinq": { + "type": "long" + } + } + }, + "defrag": { + "properties": { + "ipv4": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "max_frag_hits": { + "type": "long" + } + } + }, + "detect": { + "properties": { + "alert": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "memcap_global": { + "type": "long" + }, + "memcap_state": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "file_store": { + "properties": { + "open_files": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "emerg_mode_entered": { + "type": "long" + }, + "emerg_mode_over": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "spare": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "tcp_reuse": { + "type": "long" + }, + "udp": { + "type": "long" + } + } + }, + "flow_mgr": { + "properties": { + "bypassed_pruned": { + "type": "long" + }, + "closed_pruned": { + "type": "long" + }, + "est_pruned": { + "type": "long" + }, + "flows_checked": { + "type": "long" + }, + "flows_notimeout": { + "type": "long" + }, + "flows_removed": { + "type": "long" + }, + "flows_timeout": { + "type": "long" + }, + "flows_timeout_inuse": { + "type": "long" + }, + "new_pruned": { + "type": "long" + }, + "rows_busy": { + "type": "long" + }, + "rows_checked": { + "type": "long" + }, + "rows_empty": { + "type": "long" + }, + "rows_maxlen": { + "type": "long" + }, + "rows_skipped": { + "type": "long" + } + } + }, + "http": { + "properties": { + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "insert_data_normal_fail": { + "type": "long" + }, + "insert_data_overlap_fail": { + "type": "long" + }, + "insert_list_fail": { + "type": "long" + }, + "invalid_checksum": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "no_flow": { + "type": "long" + }, + "overlap": { + "type": "long" + }, + "overlap_diff_data": { + "type": "long" + }, + "pseudo": { + "type": "long" + }, + "pseudo_failed": { + "type": "long" + }, + "reassembly_gap": { + "type": "long" + }, + "reassembly_memuse": { + "type": "long" + }, + "rst": { + "type": "long" + }, + "segment_memcap_drop": { + "type": "long" + }, + "sessions": { + "type": "long" + }, + "ssn_memcap_drop": { + "type": "long" + }, + "stream_depth_reached": { + "type": "long" + }, + "syn": { + "type": "long" + }, + "synack": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "ack": { + "type": "boolean" + }, + "fin": { + "type": "boolean" + }, + "psh": { + "type": "boolean" + }, + "rst": { + "type": "boolean" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "syn": { + "type": "boolean" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_ts": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tls": { + "properties": { + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuerdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ja3s": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "notafter": { + "type": "date" + }, + "notbefore": { + "type": "date" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_resumed": { + "type": "boolean" + }, + "sni": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tx_id": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/syslog.json b/salt/elasticsearch/templates/component/ecs/syslog.json new file mode 100644 index 000000000..c886589e9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/syslog.json @@ -0,0 +1,30 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "syslog": { + "properties": { + "facility": { + "type": "long" + }, + "facility_label": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "severity_label": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/threat.json b/salt/elasticsearch/templates/component/ecs/threat.json new file mode 100644 index 000000000..4bed345e1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/threat.json @@ -0,0 +1,1650 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/tls.json b/salt/elasticsearch/templates/component/ecs/tls.json new file mode 100644 index 000000000..413f217ad --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/tls.json @@ -0,0 +1,354 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/tracing.json b/salt/elasticsearch/templates/component/ecs/tracing.json new file mode 100644 index 000000000..7db45e4a2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/tracing.json @@ -0,0 +1,36 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/url.json b/salt/elasticsearch/templates/component/ecs/url.json new file mode 100644 index 000000000..efdaed1fb --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/url.json @@ -0,0 +1,78 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/user.json b/salt/elasticsearch/templates/component/ecs/user.json new file mode 100644 index 000000000..1ad4bac67 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/user.json @@ -0,0 +1,244 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/user_agent.json b/salt/elasticsearch/templates/component/ecs/user_agent.json new file mode 100644 index 000000000..9a0517e6d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/user_agent.json @@ -0,0 +1,83 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/vulnerability.json b/salt/elasticsearch/templates/component/ecs/vulnerability.json new file mode 100644 index 000000000..d7d8db4d6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/vulnerability.json @@ -0,0 +1,78 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/winlog.json b/salt/elasticsearch/templates/component/ecs/winlog.json new file mode 100644 index 000000000..a724eefb1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/winlog.json @@ -0,0 +1,603 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "dynamic_templates": [ + { + "winlog.event_data": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "winlog.event_data.*" + } + }, + { + "winlog.user_data": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "winlog.user_data.*" + } + } + ], + "properties": { + "winlog": { + "properties": { + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "type": "date" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "type": "object" + }, + "version": { + "type": "long" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/zeek.json b/salt/elasticsearch/templates/component/ecs/zeek.json new file mode 100644 index 000000000..720199001 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/zeek.json @@ -0,0 +1,2279 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "zeek": { + "properties": { + "capture_loss": { + "properties": { + "acks": { + "type": "long" + }, + "gaps": { + "type": "long" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent_lost": { + "type": "double" + }, + "ts_delta": { + "type": "long" + } + } + }, + "connection": { + "properties": { + "history": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "inner_vlan": { + "type": "long" + }, + "local_orig": { + "type": "boolean" + }, + "local_resp": { + "type": "boolean" + }, + "missed_bytes": { + "type": "long" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + } + } + }, + "dce_rpc": { + "properties": { + "endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "named_pipe": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "type": "long" + } + } + }, + "dhcp": { + "properties": { + "address": { + "properties": { + "assigned": { + "type": "ip" + }, + "client": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "requested": { + "type": "ip" + }, + "server": { + "type": "ip" + } + } + }, + "client_fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "properties": { + "circuit": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscriber": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lease_time": { + "type": "long" + }, + "msg": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "type": "ip" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dnp3": { + "properties": { + "function": { + "properties": { + "reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "AA": { + "type": "boolean" + }, + "RA": { + "type": "boolean" + }, + "RD": { + "type": "boolean" + }, + "TC": { + "type": "boolean" + }, + "TTLs": { + "type": "double" + }, + "answers": { + "ignore_above": 1024, + "type": "keyword" + }, + "qclass": { + "type": "long" + }, + "qclass_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtype": { + "type": "long" + }, + "qtype_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcode": { + "type": "long" + }, + "rcode_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejected": { + "type": "boolean" + }, + "rtt": { + "type": "double" + }, + "saw_query": { + "type": "boolean" + }, + "saw_reply": { + "type": "boolean" + }, + "total_answers": { + "type": "long" + }, + "total_replies": { + "type": "long" + }, + "trans_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dpd": { + "properties": { + "analyzer": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_segment": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "files": { + "properties": { + "analyzers": { + "ignore_above": 1024, + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "type": "double" + }, + "entropy": { + "type": "double" + }, + "extracted": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_cutoff": { + "type": "boolean" + }, + "extracted_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "local_orig": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rx_host": { + "type": "ip" + }, + "seen_bytes": { + "type": "long" + }, + "session_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "timedout": { + "type": "boolean" + }, + "total_bytes": { + "type": "long" + }, + "tx_host": { + "type": "ip" + } + } + }, + "ftp": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "capture_password": { + "type": "boolean" + }, + "cmdarg": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "type": "long" + } + } + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_channel": { + "properties": { + "originating_host": { + "type": "ip" + }, + "passive": { + "type": "boolean" + }, + "response_host": { + "type": "ip" + }, + "response_port": { + "type": "long" + } + } + }, + "file": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "last_auth_requested": { + "ignore_above": 1024, + "type": "keyword" + }, + "passive": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "pending_commands": { + "type": "long" + }, + "reply": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http": { + "properties": { + "captured_password": { + "type": "boolean" + }, + "client_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "info_code": { + "type": "long" + }, + "info_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_mime_depth": { + "type": "long" + }, + "orig_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxied": { + "ignore_above": 1024, + "type": "keyword" + }, + "range_request": { + "type": "boolean" + }, + "resp_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_mime_depth": { + "type": "long" + }, + "resp_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_depth": { + "type": "long" + } + } + }, + "intel": { + "properties": { + "file_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen": { + "properties": { + "conn": { + "ignore_above": 1024, + "type": "keyword" + }, + "f": { + "type": "object" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "where": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sources": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "irc": { + "properties": { + "addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "dcc": { + "properties": { + "file": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "nick": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kerberos": { + "properties": { + "cert": { + "properties": { + "client": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "forwardable": { + "type": "boolean" + }, + "renewable": { + "type": "boolean" + }, + "request_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + }, + "ticket": { + "properties": { + "auth": { + "ignore_above": 1024, + "type": "keyword" + }, + "new": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "days": { + "type": "long" + }, + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + } + } + }, + "modbus": { + "properties": { + "exception": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "track_address": { + "type": "long" + } + } + }, + "mysql": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "notice": { + "properties": { + "actions": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped": { + "type": "boolean" + }, + "email_body_sections": { + "norms": false, + "type": "text" + }, + "email_delay_tokens": { + "ignore_above": 1024, + "type": "keyword" + }, + "false": { + "type": "long" + }, + "ffile": { + "properties": { + "total_bytes": { + "type": "long" + } + } + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen_bytes": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_descr": { + "norms": false, + "type": "text" + }, + "peer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppress_for": { + "type": "double" + } + } + }, + "ntlm": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "properties": { + "name": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "netbios": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "success": { + "type": "boolean" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ntp": { + "properties": { + "mode": { + "type": "long" + }, + "num_exts": { + "type": "long" + }, + "org_time": { + "type": "date" + }, + "poll": { + "type": "double" + }, + "precision": { + "type": "double" + }, + "rec_time": { + "type": "date" + }, + "ref_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ref_time": { + "type": "date" + }, + "root_delay": { + "type": "double" + }, + "root_disp": { + "type": "double" + }, + "stratum": { + "type": "long" + }, + "version": { + "type": "long" + }, + "xmt_time": { + "type": "date" + } + } + }, + "ocsp": { + "properties": { + "file_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "revoke": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "update": { + "properties": { + "next": { + "type": "date" + }, + "this": { + "type": "date" + } + } + } + } + }, + "pe": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_time": { + "type": "date" + }, + "has_cert_table": { + "type": "boolean" + }, + "has_debug_data": { + "type": "boolean" + }, + "has_export_table": { + "type": "boolean" + }, + "has_import_table": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_64bit": { + "type": "boolean" + }, + "is_exe": { + "type": "boolean" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "section_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "uses_aslr": { + "type": "boolean" + }, + "uses_code_integrity": { + "type": "boolean" + }, + "uses_dep": { + "type": "boolean" + }, + "uses_seh": { + "type": "boolean" + } + } + }, + "radius": { + "properties": { + "connect_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "framed_addr": { + "type": "ip" + }, + "logged": { + "type": "boolean" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "reply_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rdp": { + "properties": { + "cert": { + "properties": { + "count": { + "type": "long" + }, + "permanent": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "desktop": { + "properties": { + "color_depth": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "width": { + "type": "long" + } + } + }, + "done": { + "type": "boolean" + }, + "encryption": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "keyboard_layout": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl": { + "type": "boolean" + } + } + }, + "rfb": { + "properties": { + "auth": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + } + } + }, + "desktop_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "share_flag": { + "type": "boolean" + }, + "version": { + "properties": { + "client": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "width": { + "type": "long" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "properties": { + "event_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_count": { + "type": "long" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_count": { + "type": "long" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sip": { + "properties": { + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "warning": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_cmd": { + "properties": { + "argument": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "rx": { + "type": "ip" + }, + "tx": { + "type": "ip" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rtt": { + "type": "double" + }, + "smb1_offered_dialects": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb2_offered_dialects": { + "type": "long" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_command": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_files": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "fid": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "times": { + "properties": { + "accessed": { + "type": "date" + }, + "changed": { + "type": "date" + }, + "created": { + "type": "date" + }, + "modified": { + "type": "date" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_mapping": { + "properties": { + "native_file_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "share_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smtp": { + "properties": { + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "first_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "has_client_activity": { + "type": "boolean" + }, + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_webmail": { + "type": "boolean" + }, + "last_reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "ip" + }, + "process_received_from": { + "type": "boolean" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls": { + "type": "boolean" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "x_originating_ip": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "snmp": { + "properties": { + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "get": { + "properties": { + "bulk_requests": { + "type": "long" + }, + "requests": { + "type": "long" + }, + "responses": { + "type": "long" + } + } + }, + "set": { + "properties": { + "requests": { + "type": "long" + } + } + }, + "up_since": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "socks": { + "properties": { + "bound": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "capture_password": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssh": { + "properties": { + "algorithm": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "compression": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "key_exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auth": { + "properties": { + "attempts": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "last_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "validation": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stats": { + "properties": { + "bytes": { + "properties": { + "received": { + "type": "long" + } + } + }, + "connections": { + "properties": { + "icmp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "udp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + } + } + }, + "dns_requests": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "events": { + "properties": { + "processed": { + "type": "long" + }, + "queued": { + "type": "long" + } + } + }, + "files": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "memory": { + "type": "long" + }, + "packets": { + "properties": { + "dropped": { + "type": "long" + }, + "processed": { + "type": "long" + }, + "received": { + "type": "long" + } + } + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "reassembly_size": { + "properties": { + "file": { + "type": "long" + }, + "frag": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "unknown": { + "type": "long" + } + } + }, + "timers": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "timestamp_lag": { + "type": "long" + } + } + }, + "syslog": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tunnel": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "weird": { + "properties": { + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice": { + "type": "boolean" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "basic_constraints": { + "properties": { + "certificate_authority": { + "type": "boolean" + }, + "path_length": { + "type": "long" + } + } + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "exponent": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "key": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + }, + "version": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_cert": { + "type": "boolean" + }, + "san": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "other_fields": { + "type": "boolean" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/case-mappings.json b/salt/elasticsearch/templates/component/so/case-mappings.json new file mode 100644 index 000000000..aef586459 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/case-mappings.json @@ -0,0 +1,213 @@ + { + "template": { + "mappings": { + "properties": { + "so_audit_doc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_related": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fields": { + "eager_global_ordinals": false, + "ignore_above": 1024, + "index": true, + "type": "flattened", + "index_options": "docs", + "split_queries_on_whitespace": false, + "doc_values": true + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "so_artifactstream": { + "properties": { + "createTime": { + "type": "date" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "content": { + "type": "text" + } + } + }, + "so_comment": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "text" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_case": { + "properties": { + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "template": { + "ignore_above": 1024, + "type": "keyword" + }, + "completeTime": { + "type": "date" + }, + "description": { + "type": "text" + }, + "priority": { + "type": "long" + }, + "title": { + "type": "text" + }, + "assigneeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "pap": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_artifact": { + "properties": { + "artifactType": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamId": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamLength": { + "type": "long" + }, + "description": { + "type": "text" + }, + "mimeType": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "ioc": { + "type": "boolean" + }, + "value": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } +} diff --git a/salt/elasticsearch/templates/component/so/case-settings.json b/salt/elasticsearch/templates/component/so/case-settings.json new file mode 100644 index 000000000..3a4429926 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/case-settings.json @@ -0,0 +1,65 @@ +{ + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" + } + } + }, + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion Cases indices" + } +} diff --git a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json new file mode 100644 index 000000000..7ae4ae86c --- /dev/null +++ b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json @@ -0,0 +1,56 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [ + { + "ip_address": { + "path_match": "*.ip", + "mapping": { + "type": "ip", + "fields": { + "keyword": { + "ignore_above": 45, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + }, + { + "port": { + "path_match": "*.port", + "path_unmatch": "*.data.port", + "mapping": { + "type": "integer", + "fields": { + "keyword": { + "ignore_above": 6, + "type": "keyword" + } + } + } + } + }, + { + "strings": { + "mapping": { + "type": "text", + "fields": { + "security": { + "analyzer": "es_security_analyzer", + "type": "text" + }, + "keyword": { + "ignore_above": 32765, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + } + ] + } + } +} diff --git a/salt/elasticsearch/templates/component/so/common-settings.json b/salt/elasticsearch/templates/component/so/common-settings.json new file mode 100644 index 000000000..729ba3388 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/common-settings.json @@ -0,0 +1,65 @@ +{ + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" + } + } + }, + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion indices" + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json new file mode 100644 index 000000000..60e344946 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json @@ -0,0 +1,61 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json new file mode 100644 index 000000000..ff3b73792 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "message": { + "type": "match_only_text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json new file mode 100644 index 000000000..d5a498669 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json new file mode 100644 index 000000000..521d4944f --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings b/salt/elasticsearch/templates/component/so/dtc-event-mappings new file mode 100644 index 000000000..8a026308b --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings @@ -0,0 +1,137 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json new file mode 100644 index 000000000..d3e577267 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "created": { + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "ingested": { + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json new file mode 100644 index 000000000..af090a0b0 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -0,0 +1,34 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "mime_type": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json new file mode 100644 index 000000000..064ce850c --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -0,0 +1,34 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "host": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "mac": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json new file mode 100644 index 000000000..1b504900a --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json @@ -0,0 +1,38 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json new file mode 100644 index 000000000..b42fe9771 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json @@ -0,0 +1,34 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "network": { + "properties": { + "protocol": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "transport": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings b/salt/elasticsearch/templates/component/so/dtc-observer-mappings new file mode 100644 index 000000000..1168cd100 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings @@ -0,0 +1,219 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json new file mode 100644 index 000000000..bd7e7f3bd --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json new file mode 100644 index 000000000..688aec92c --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -0,0 +1,27 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "process": { + "properties": { + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + }, + "keyword": { + "type": "keyword" + } + }, + "type": "wildcard" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json new file mode 100644 index 000000000..d2df0127b --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json @@ -0,0 +1,34 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "rule": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json new file mode 100644 index 000000000..76bfc274b --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json @@ -0,0 +1,34 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json new file mode 100644 index 000000000..3d0c3086a --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json @@ -0,0 +1,28 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + }, + "keyword": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json new file mode 100644 index 000000000..07f980203 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json @@ -0,0 +1,28 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user_agent": { + "properties": { + "original": { + "fields": { + "text": { + "type": "match_only_text" + }, + "keyword": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/endgame-mappings.json b/salt/elasticsearch/templates/component/so/endgame-mappings.json new file mode 100644 index 000000000..d32fb962d --- /dev/null +++ b/salt/elasticsearch/templates/component/so/endgame-mappings.json @@ -0,0 +1,53 @@ + { + "template": { + "mappings": { + "properties": { + "endgame": { + "dynamic": false, + "properties": { + "data": { + "properties": { + "malware_classification": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "quarantine_result": { + "properties": { + "local_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "event_subtype_full": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type_full": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } +} diff --git a/salt/elasticsearch/templates/component/so/so-file-mappings.json b/salt/elasticsearch/templates/component/so/so-file-mappings.json new file mode 100644 index 000000000..1b87b0915 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-file-mappings.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "flavors": { + "properties": { + "mime": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/so-rule-mappings.json b/salt/elasticsearch/templates/component/so/so-rule-mappings.json new file mode 100644 index 000000000..00cea1bfe --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-rule-mappings.json @@ -0,0 +1,19 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "rule":{ + "properties":{ + "score":{ + "type":"long" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/so-scan-mappings.json b/salt/elasticsearch/templates/component/so/so-scan-mappings.json new file mode 100644 index 000000000..00d10f73b --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json @@ -0,0 +1,31 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "scan":{ + "type":"object", + "properties":{ + "exiftool":{ + "type":"text" + }, + "pe":{ + "properties":{ + "sections":{ + "properties":{ + "entropy":{ + "type": "float" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/custom/place_custom_template_in_local b/salt/elasticsearch/templates/index/custom/place_custom_template_in_local similarity index 100% rename from salt/elasticsearch/templates/custom/place_custom_template_in_local rename to salt/elasticsearch/templates/index/custom/place_custom_template_in_local diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja new file mode 100644 index 000000000..9751fb0f3 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-aws:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-aws:field_limit', 3000) %} +{ + "index_patterns": [ + "so-aws*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "aws-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja new file mode 100644 index 000000000..f663e0b82 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-azure:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-azure:field_limit', 3000) %} +{ + "index_patterns": [ + "so-azure*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "azure-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja new file mode 100644 index 000000000..bde70c190 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:field_limit', 3000) %} +{ + "index_patterns": [ + "so-barracuda*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja new file mode 100644 index 000000000..5f935d65b --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-beats:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-beats:field_limit', 3000) %} +{ + "index_patterns": [ + "so-beats*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings", + "winlog-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja new file mode 100644 index 000000000..e0b69f24d --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:field_limit', 3000) %} +{ + "index_patterns": [ + "so-bluecoat*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-case-template.json.jinja b/salt/elasticsearch/templates/index/so/so-case-template.json.jinja new file mode 100644 index 000000000..3e526979d --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-case-template.json.jinja @@ -0,0 +1,53 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-case:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-case:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-case:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-case:field_limit', 2000) %} +{ + "index_patterns": [ + "so-case*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "case-mappings", + "case-settings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes Cases fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja new file mode 100644 index 000000000..84e175a88 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cef:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cef:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cef*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "cef-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja new file mode 100644 index 000000000..ee76932d4 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:field_limit', 3000) %} +{ + "index_patterns": [ + "so-checkpoint*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "checkpoint-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja new file mode 100644 index 000000000..6b8396815 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja @@ -0,0 +1,106 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cisco:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cisco:field_limit', 3000) %} +{ + "index_templates": [ + { + "so-cisco*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "cisco-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-common-template.json.jinja b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja new file mode 100644 index 000000000..f549f6289 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-common:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-common:priority', 1) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-common:field_limit', 3000) %} +{ + "index_patterns": [ + "so-*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "sort.field": "@timestamp", + "sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "so-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja new file mode 100644 index 000000000..6644f274b --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cyberark*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "cyberark-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja new file mode 100644 index 000000000..910fea825 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cylance:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cylance:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cylance*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja new file mode 100644 index 000000000..62c9e1597 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:field_limit', 3000) %} +{ + "index_patterns": [ + "so-elasticsearch*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "elasticsearch-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja new file mode 100644 index 000000000..9de433b05 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-endgame:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-endgame:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-endgame:field_limit', 3000) %} +{ + "index_patterns": [ + "endgame*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "endgame-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja new file mode 100644 index 000000000..6a558742f --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-f5:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-f5:field_limit', 3000) %} +{ + "index_patterns": [ + "so-f5*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja new file mode 100644 index 000000000..cf489278e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-firewall:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-firewall:field_limit', 3000) %} +{ + "index_patterns": [ + "so-firewall*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja new file mode 100644 index 000000000..1fb892487 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-flow:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-flow:field_limit', 3000) %} +{ + "index_patterns": [ + "so-flow*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja new file mode 100644 index 000000000..d04193d31 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:field_limit', 3000) %} +{ + "index_patterns": [ + "so-fortinet*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "fortinet-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja new file mode 100644 index 000000000..78a39f158 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-gcp:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-gcp:field_limit', 3000) %} +{ + "index_patterns": [ + "so-gcp*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "gcp-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja new file mode 100644 index 000000000..1aa207d57 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:field_limit', 3000) %} +{ + "index_patterns": [ + "so-google_workspace*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "google_workspace-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja new file mode 100644 index 000000000..400567e3e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ids:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ids:field_limit', 3000) %} +{ + "index_patterns": [ + "so-ids*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "suricata-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja new file mode 100644 index 000000000..bdc399121 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-imperva:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-imperva:field_limit', 3000) %} +{ + "index_patterns": [ + "so-imperva*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja new file mode 100644 index 000000000..d449009c9 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-import:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-import:field_limit', 3000) %} +{ + "index_patterns": [ + "so-import*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja new file mode 100644 index 000000000..f8e070b25 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:field_limit', 3000) %} +{ + "index_patterns": [ + "so-infoblox*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja new file mode 100644 index 000000000..a1aaa5cd0 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-juniper:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-juniper:field_limit', 3000) %} +{ + "index_patterns": [ + "so-juniper*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "juniper-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja new file mode 100644 index 000000000..670c934eb --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-kibana:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-kibana:field_limit', 3000) %} +{ + "index_patterns": [ + "so-kibana*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "kibana-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja new file mode 100644 index 000000000..b9744a01e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-logstash:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-logstash:field_limit', 3000) %} +{ + "index_patterns": [ + "so-logstash*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "logstash-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja new file mode 100644 index 000000000..d0b7d2cbb --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:field_limit', 3000) %} +{ + "index_patterns": [ + "so-microsoft*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "microsoft-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja new file mode 100644 index 000000000..046ffa6e7 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-misp:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-misp:field_limit', 3000) %} +{ + "index_patterns": [ + "so-misp*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "misp-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja new file mode 100644 index 000000000..e7d09abb7 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netflow:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netflow:field_limit', 3000) %} +{ + "index_patterns": [ + "so-netflow*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "netflow-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja new file mode 100644 index 000000000..7670d5659 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netscout:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netscout:field_limit', 3000) %} +{ + "index_patterns": [ + "so-netscout*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja new file mode 100644 index 000000000..da688ea75 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-o365:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-o365:field_limit', 3000) %} +{ + "index_patterns": [ + "so-o365*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "o365-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja new file mode 100644 index 000000000..26488c4b2 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-okta:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-okta:field_limit', 3000) %} +{ + "index_patterns": [ + "so-okta*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "okta-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja new file mode 100644 index 000000000..a7459abc3 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-osquery:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-osquery:field_limit', 3000) %} +{ + "index_patterns": [ + "so-osquery*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings", + "winlog-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja new file mode 100644 index 000000000..3f78942c3 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ossec:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ossec:field_limit', 3000) %} +{ + "index_patterns": [ + "so-ossec*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings", + "winlog-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja new file mode 100644 index 000000000..a75ebc600 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:field_limit', 3000) %} +{ + "index_patterns": [ + "so-proofpoint*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja new file mode 100644 index 000000000..19b7081e1 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-radware:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-radware:field_limit', 3000) %} +{ + "index_patterns": [ + "so-radware*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja new file mode 100644 index 000000000..8cf1a3777 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-redis:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-redis:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-redis:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-redis:field_limit', 3000) %} +{ + "index_patterns": [ + "so-redis*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "redis-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja new file mode 100644 index 000000000..63b2506f0 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snort:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snort:field_limit', 3000) %} +{ + "index_patterns": [ + "so-snort*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja new file mode 100644 index 000000000..42cff57ce --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snyk:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snyk:field_limit', 3000) %} +{ + "index_patterns": [ + "so-snyk*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "snyk-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja new file mode 100644 index 000000000..f2b9c558d --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja @@ -0,0 +1,104 @@ +i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:field_limit', 3000) %} +{ + "index_patterns": [ + "so-sonicwall*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja new file mode 100644 index 000000000..c8c95f178 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sophos:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sophos:field_limit', 3000) %} +{ + "index_patterns": [ + "so-sophos*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "sophos-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja new file mode 100644 index 000000000..3ec8fe067 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-squid:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-squid:field_limit', 3000) %} +{ + "index_patterns": [ + "so-squid*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja new file mode 100644 index 000000000..06783d3e8 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-strelka:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-strelka:field_limit', 3000) %} +{ + "index_patterns": [ + "so-strelka*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "so-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja new file mode 100644 index 000000000..41215e262 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-syslog:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-syslog:field_limit', 3000) %} +{ + "index_patterns": [ + "so-syslog*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "syslog-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja new file mode 100644 index 000000000..af48c7540 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:field_limit', 3000) %} +{ + "index_patterns": [ + "so-tomcat*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja new file mode 100644 index 000000000..35f842a9c --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja @@ -0,0 +1,105 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zeek:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zeek:field_limit', 3000) %} +{ + "index_patterns": [ + "so-zeek*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "zeek-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja new file mode 100644 index 000000000..abb475b6f --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja @@ -0,0 +1,104 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:field_limit', 3000) %} +{ + "index_patterns": [ + "so-zscaler*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "dtc-agent-mappings", + "base-mappings", + "dtc-base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "dtc-dns-mappings", + "ecs-mappings", + "dtc-ecs-mappings", + "error-mappings", + "event-mappings", + "dtc-event-mappings", + "file-mappings", + "dtc-file-mappings", + "group-mappings", + "host-mappings", + "dtc-host-mappings", + "http-mappings", + "dtc-http-mappings", + "log-mappings", + "network-mappings", + "dtc-network-mappings", + "observer-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "dtc-process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "dtc-rule-mappings", + "server-mappings", + "service-mappings", + "dtc-service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", + "dtc-user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/so/so-aws-template.json.jinja deleted file mode 100644 index 19b23dfba..000000000 --- a/salt/elasticsearch/templates/so/so-aws-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %} -{ - "index_patterns": ["so-aws-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/so/so-azure-template.json.jinja deleted file mode 100644 index 51a266479..000000000 --- a/salt/elasticsearch/templates/so/so-azure-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %} -{ - "index_patterns": ["so-azure-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja deleted file mode 100644 index 66967d6d1..000000000 --- a/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %} -{ - "index_patterns": ["so-barracuda-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/so/so-beats-template.json.jinja deleted file mode 100644 index 6d2cf7851..000000000 --- a/salt/elasticsearch/templates/so/so-beats-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %} -{ - "index_patterns": ["so-beats-*"], - "version": 50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja deleted file mode 100644 index b1714183e..000000000 --- a/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %} -{ - "index_patterns": ["so-bluecoat-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-case-template.json.jinja b/salt/elasticsearch/templates/so/so-case-template.json.jinja deleted file mode 100644 index a61bd21be..000000000 --- a/salt/elasticsearch/templates/so/so-case-template.json.jinja +++ /dev/null @@ -1,226 +0,0 @@ -{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} -{ - "index_patterns": ["so-case*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":1, - "index.refresh_interval":"{{ REFRESH }}", - "index.routing.allocation.require.box_type":"hot", - "index.mapping.total_fields.limit": "1500" - }, - "mappings": { - "_meta": { - "version": "1.5.0" - }, - "dynamic": false, - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "so_kind": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_operation": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_audit_doc_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_artifact": { - "properties": { - "artifactType": { - "type": "keyword", - "ignore_above": 1024 - }, - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "groupId": { - "type": "keyword", - "ignore_above": 1024 - }, - "groupType": { - "type": "keyword", - "ignore_above": 1024 - }, - "ioc": { - "type": "boolean" - }, - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "mimeType": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "streamId": { - "type": "keyword", - "ignore_above": 1024 - }, - "streamLength": { - "type": "long" - }, - "tags": { - "type": "keyword", - "ignore_above": 1024 - }, - "tlp": { - "type": "keyword", - "ignore_above": 1024 - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - }, - "value": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "so_artifactstream": { - "properties": { - "content": { - "type": "text" - }, - "createTime": { - "type": "date" - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_case": { - "properties": { - "assigneeId": { - "type": "keyword", - "ignore_above": 1024 - }, - "category": { - "type": "keyword", - "ignore_above": 1024 - }, - "completeTime": { - "type": "date" - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "pap": { - "type": "keyword", - "ignore_above": 1024 - }, - "priority": { - "type": "long" - }, - "severity": { - "type": "keyword", - "ignore_above": 1024 - }, - "startTime": { - "type": "date" - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "tags": { - "type": "keyword", - "ignore_above": 1024 - }, - "template": { - "type": "keyword", - "ignore_above": 1024 - }, - "title": { - "type": "text" - }, - "tlp": { - "type": "keyword", - "ignore_above": 1024 - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_comment": { - "properties": { - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_related": { - "properties": { - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "fields": { - "eager_global_ordinals": false, - "ignore_above": 1024, - "index": true, - "type": "flattened", - "index_options": "docs", - "split_queries_on_whitespace": false, - "doc_values": true - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/so/so-cef-template.json.jinja deleted file mode 100644 index 0081d42e1..000000000 --- a/salt/elasticsearch/templates/so/so-cef-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %} -{ - "index_patterns": ["so-cef-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja deleted file mode 100644 index 5d41946cf..000000000 --- a/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %} -{ - "index_patterns": ["so-checkpoint-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/so/so-cisco-template.json.jinja deleted file mode 100644 index e6e6d14d0..000000000 --- a/salt/elasticsearch/templates/so/so-cisco-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %} -{ - "index_patterns": ["so-cisco-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja deleted file mode 100644 index 4a41cba8a..000000000 --- a/salt/elasticsearch/templates/so/so-common-template.json.jinja +++ /dev/null @@ -1,702 +0,0 @@ -{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} -{ - "index_patterns": ["so-*"], - "version":50001, - "order":10, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":1, - "index.refresh_interval":"{{ REFRESH }}", - "index.routing.allocation.require.box_type":"hot", - "index.mapping.total_fields.limit": "1500", -{%- if INDEX_SORTING is sameas true %} - "index.sort.field": "@timestamp", - "index.sort.order": "desc", -{%- endif %} - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ "whitespace_no_way" ], - "filter": [ "lowercase", "trim" ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter" : { - "path_hierarchy_pattern_filter": { - "type" : "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - } - }, - "mappings":{ - "dynamic":false, - "date_detection":false, - "dynamic_templates": [ - { - "ip_address": { - "match_mapping_type": "string", - "path_match": "*.ip", - "mapping": { - "type": "ip", - "fields" : { - "keyword" : { - "ignore_above" : 45, - "type" : "keyword" - } - } - - } - } - }, - { - "port": { - "path_match": "*.port", - "path_unmatch": "*.data.port", - "mapping": { - "type": "integer", - "fields" : { - "keyword" : { - "ignore_above" : 6, - "type" : "keyword" - } - } - - } - } - }, - { - "strings": { - "match_mapping_type": "string", - "mapping": { - "type": "text", - "fields": { - "keyword": { - "ignore_above": 32765, - "type": "keyword" - }, - "security": { - "type": "text", - "analyzer": "es_security_analyzer" - } - } - } - } - }], - "properties":{ - "@timestamp":{ - "type":"date" - }, - "@version":{ - "type":"keyword" - }, - "osquery":{ - "type":"object", - "dynamic":true - }, - "geoip":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "destination_geo":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "source_geo":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "agent":{ - "type":"object", - "dynamic": true - }, - "as":{ - "type":"object", - "dynamic": true - }, - "alert":{ - "type":"object", - "dynamic": true - }, - "client":{ - "type":"object", - "dynamic": true - }, - "cloud":{ - "type":"object", - "dynamic": true - }, - "code_signature":{ - "type":"object", - "dynamic": true - }, - "connection":{ - "type":"object", - "dynamic": true - }, - "container":{ - "type":"object", - "dynamic": true - }, - "data":{ - "type":"object", - "dynamic": true - }, - "dce_rpc":{ - "type":"object", - "dynamic": true - }, - "destination":{ - "type":"object", - "dynamic": true - }, - "dhcp":{ - "type":"object", - "dynamic": true - }, - "dnp3":{ - "type":"object", - "dynamic": true - }, - "dns":{ - "type":"object", - "dynamic": true - }, - "dll":{ - "type":"object", - "dynamic": true - }, - "ecs":{ - "type":"object", - "dynamic": true - }, - "error":{ - "type":"object", - "dynamic": true - }, - "event":{ - "type":"object", - "dynamic": true - }, - "event_data":{ - "type":"object", - "dynamic": true - }, - "file":{ - "type":"object", - "dynamic": true - }, - "flow":{ - "type":"object", - "dynamic": true - }, - "ftp":{ - "type":"object", - "dynamic": true - }, - "geo":{ - "type":"object", - "dynamic": true - }, - "group":{ - "type":"object", - "dynamic": true - }, - "hash":{ - "type":"object", - "dynamic": true - }, - "host":{ - "type":"object", - "dynamic": true - }, - "http":{ - "type":"object", - "dynamic": true - }, - "import":{ - "type":"object", - "dynamic": true - }, - "ingest":{ - "type":"object", - "dynamic": true, - "properties":{ - "timestamp":{ - "type":"date" - } - } - }, - "intel":{ - "type":"object", - "dynamic": true, - "properties":{ - "indicator":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword" - } - } - } - } - }, - "interface":{ - "type":"object", - "dynamic": true - }, - "ip":{ - "type":"object", - "dynamic": true - }, - "irc":{ - "type":"object", - "dynamic": true - }, - "kerberos":{ - "type":"object", - "dynamic": true - }, - "log":{ - "type":"object", - "dynamic": true - }, - "logscan": { - "type": "object", - "dynamic": true - }, - "manager":{ - "type":"object", - "dynamic": true - }, - "message":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword", - "ignore_above": 32766 - } - } - }, - "modbus":{ - "type":"object", - "dynamic": true - }, - "mysql":{ - "type":"object", - "dynamic": true - }, - "network":{ - "type":"object", - "dynamic": true - }, - "notice":{ - "type":"object", - "dynamic": true - }, - "ntlm":{ - "type":"object", - "dynamic": true - }, - "observer":{ - "type":"object", - "dynamic": true - }, - "organization":{ - "type":"object", - "dynamic": true - }, - "os":{ - "type":"object", - "dynamic": true - }, - "package":{ - "type":"object", - "dynamic": true - }, - "pe":{ - "type":"object", - "dynamic": true - }, - "process":{ - "type":"object", - "dynamic": true - }, - "radius":{ - "type":"object", - "dynamic": true - }, - "rdp":{ - "type":"object", - "dynamic": true - }, - "registry":{ - "type":"object", - "dynamic": true - }, - "related":{ - "type":"object", - "dynamic": true - }, - "request":{ - "type":"object", - "dynamic": true - }, - "result":{ - "type":"object", - "dynamic": true - }, - "rfb":{ - "type":"object", - "dynamic": true - }, - "rule":{ - "type":"object", - "dynamic":true, - "properties":{ - "score":{ - "type":"long" - }, - "uuid":{ - "type":"keyword" - } - } - }, - "scan":{ - "type":"object", - "dynamic": true, - "properties":{ - "exiftool":{ - "type":"text" - } - } - }, - "server":{ - "type":"object", - "dynamic": true - }, - "service":{ - "type":"object", - "dynamic": true - }, - "sip":{ - "type":"object", - "dynamic": true - }, - "smb":{ - "type":"object", - "dynamic": true - }, - "smtp":{ - "type":"object", - "dynamic": true - }, - "snmp":{ - "type":"object", - "dynamic": true - }, - "socks":{ - "type":"object", - "dynamic": true - }, - "software":{ - "type":"object", - "dynamic": true - }, - "source":{ - "type":"object", - "dynamic": true - }, - "ssh":{ - "type":"object", - "dynamic": true - }, - "ssl":{ - "type":"object", - "dynamic": true - }, - "syslog":{ - "type":"object", - "dynamic": true - }, - "tags":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword" - } - } - }, - "threat":{ - "type":"object", - "dynamic": true - }, - "tls":{ - "type":"object", - "dynamic": true - }, - "trace":{ - "type":"object", - "dynamic": true - }, - "tunnel":{ - "type":"object", - "dynamic": true - }, - "user":{ - "type":"object", - "dynamic": true - }, - "user_agent":{ - "type":"object", - "dynamic": true - }, - "version":{ - "type":"object", - "dynamic": true - }, - "vlan":{ - "type":"object", - "dynamic": true - }, - "vulnerability":{ - "type":"object", - "dynamic": true - }, - "weird":{ - "type":"object", - "dynamic": true - }, - "winlog":{ - "type":"object", - "dynamic": true, - "properties":{ - "event_id":{ - "type":"long" - }, - "event_data":{ - "type":"object" - }, - "version":{ - "type":"long" - } - } - }, - "x509":{ - "type":"object", - "dynamic": true - }, - "suricata":{ - "type":"object", - "dynamic": true - }, - "zeek":{ - "type":"object", - "dynamic": true - }, - "aws":{ - "type":"object", - "dynamic": true - }, - "azure":{ - "type":"object", - "dynamic": true - }, - "barracuda":{ - "type":"object", - "dynamic": true - }, - "bluecoat":{ - "type":"object", - "dynamic": true - }, - "cef":{ - "type":"object", - "dynamic": true - }, - "checkpoint":{ - "type":"object", - "dynamic": true - }, - "cisco":{ - "type":"object", - "dynamic": true - }, - "cyberark":{ - "type":"object", - "dynamic": true - }, - "cylance":{ - "type":"object", - "dynamic": true - }, - "f5":{ - "type":"object", - "dynamic": true - }, - "fortinet":{ - "type":"object", - "dynamic": true - }, - "gcp":{ - "type":"object", - "dynamic": true - }, - "google_workspace":{ - "type":"object", - "dynamic": true - }, - "imperva":{ - "type":"object", - "dynamic": true - }, - "infoblox":{ - "type":"object", - "dynamic": true - }, - "juniper":{ - "type":"object", - "dynamic": true - }, - "microsoft":{ - "type":"object", - "dynamic": true - }, - "misp":{ - "type":"object", - "dynamic": true - }, - "netflow":{ - "type":"object", - "dynamic": true - }, - "netscout":{ - "type":"object", - "dynamic": true - }, - "o365":{ - "type":"object", - "dynamic": true - }, - "okta":{ - "type":"object", - "dynamic": true - }, - "proofpoint":{ - "type":"object", - "dynamic": true - }, - "radware":{ - "type":"object", - "dynamic": true - }, - "snort":{ - "type":"object", - "dynamic": true - }, - "snyk":{ - "type":"object", - "dynamic": true - }, - "sonicwall":{ - "type":"object", - "dynamic": true - }, - "sophos":{ - "type":"object", - "dynamic": true - }, - "squid":{ - "type":"object", - "dynamic": true - }, - "tomcat":{ - "type":"object", - "dynamic": true - }, - "zcaler":{ - "type":"object", - "dynamic": true - }, - "elasticsearch":{ - "type":"object", - "dynamic": true - }, - "kibana":{ - "type":"object", - "dynamic": true - }, - "logstash":{ - "type":"object", - "dynamic": true - }, - "redis":{ - "type":"object", - "dynamic": true - }, - "wazuh":{ - "type":"object", - "dynamic": true - } - } - } -} diff --git a/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja deleted file mode 100644 index 1647d600f..000000000 --- a/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %} -{ - "index_patterns": ["so-cyberark-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/so/so-cylance-template.json.jinja deleted file mode 100644 index 4ba7d0316..000000000 --- a/salt/elasticsearch/templates/so/so-cylance-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %} -{ - "index_patterns": ["so-cylance-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja deleted file mode 100644 index 16aaaec13..000000000 --- a/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %} -{ - "index_patterns": ["so-elasticsearch-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/so/so-endgame-template.json.jinja deleted file mode 100644 index 6d2b89b27..000000000 --- a/salt/elasticsearch/templates/so/so-endgame-template.json.jinja +++ /dev/null @@ -1,2976 +0,0 @@ -{ - "index_patterns": ["endgame-*"], - "version":50002, - "order":1, - "mappings": { - "_meta": { - "version": "1.5.0" - }, - "date_detection": false, - "dynamic_templates": [ - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "container": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "endgame": { - "dynamic": false, - "properties": { - "data": { - "properties": { - "malware_classification": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "quarantine_result": { - "properties": { - "local_msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "event_subtype_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "stack_trace": { - "doc_values": false, - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "integer" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - } - } - }, - "message": { - "norms": false, - "type": "text" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "dynamic": false, - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tags": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "keyword": { - "type": "keyword" - }, - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "winlog": { - "properties": { - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "type": "long" - }, - "logon": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "opcode": { - "type": "long" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "type": "long" - } - } - } - } - }, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "mapping": { - "ignore_malformed": true, - "total_fields": { - "limit": 10000 - } - }, - "number_of_shards": 5 - } - } -} diff --git a/salt/elasticsearch/templates/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/so/so-f5-template.json.jinja deleted file mode 100644 index 682a37c59..000000000 --- a/salt/elasticsearch/templates/so/so-f5-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %} -{ - "index_patterns": ["so-f5-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/so/so-firewall-template.json.jinja deleted file mode 100644 index 7bc81fd12..000000000 --- a/salt/elasticsearch/templates/so/so-firewall-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %} -{ - "index_patterns": ["so-firewall-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/so/so-flow-template.json.jinja deleted file mode 100644 index 6c8f2fa9f..000000000 --- a/salt/elasticsearch/templates/so/so-flow-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %} -{ - "index_patterns": ["so-flow-*"], - "version": 50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/so/so-gcp-template.json.jinja deleted file mode 100644 index 4f1db4f20..000000000 --- a/salt/elasticsearch/templates/so/so-gcp-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %} -{ - "index_patterns": ["so-gcp-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja deleted file mode 100644 index 5ae26780a..000000000 --- a/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %} -{ - "index_patterns": ["so-google_workspace-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/so/so-ids-template.json.jinja deleted file mode 100644 index abf37319a..000000000 --- a/salt/elasticsearch/templates/so/so-ids-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %} -{ - "index_patterns": ["so-ids-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/so/so-imperva-template.json.jinja deleted file mode 100644 index 1f574f33a..000000000 --- a/salt/elasticsearch/templates/so/so-imperva-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %} -{ - "index_patterns": ["so-imperva-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-import-template.json.jinja b/salt/elasticsearch/templates/so/so-import-template.json.jinja deleted file mode 100644 index e4d68235d..000000000 --- a/salt/elasticsearch/templates/so/so-import-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %} -{ - "index_patterns": ["so-import-*"], - "version":50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja deleted file mode 100644 index de613de7f..000000000 --- a/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %} -{ - "index_patterns": ["so-infoblox-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/so/so-juniper-template.json.jinja deleted file mode 100644 index f637271a9..000000000 --- a/salt/elasticsearch/templates/so/so-juniper-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %} -{ - "index_patterns": ["so-juniper-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/so/so-kibana-template.json.jinja deleted file mode 100644 index fe2004b0e..000000000 --- a/salt/elasticsearch/templates/so/so-kibana-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %} -{ - "index_patterns": ["so-kibana-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/so/so-logstash-template.json.jinja deleted file mode 100644 index 2cf0aba42..000000000 --- a/salt/elasticsearch/templates/so/so-logstash-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %} -{ - "index_patterns": ["so-logstash-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja deleted file mode 100644 index 3493ccbb2..000000000 --- a/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %} -{ - "index_patterns": ["so-microsoft-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/so/so-misp-template.json.jinja deleted file mode 100644 index 67af1efde..000000000 --- a/salt/elasticsearch/templates/so/so-misp-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %} -{ - "index_patterns": ["so-misp-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/so/so-netflow-template.json.jinja deleted file mode 100644 index 62c0972bf..000000000 --- a/salt/elasticsearch/templates/so/so-netflow-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %} -{ - "index_patterns": ["so-netflow-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/so/so-netscout-template.json.jinja deleted file mode 100644 index 1dfe336d9..000000000 --- a/salt/elasticsearch/templates/so/so-netscout-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %} -{ - "index_patterns": ["so-netscout-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/so/so-o365-template.json.jinja deleted file mode 100644 index c1f4826f4..000000000 --- a/salt/elasticsearch/templates/so/so-o365-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %} -{ - "index_patterns": ["so-o365-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/so/so-okta-template.json.jinja deleted file mode 100644 index a4f2df44e..000000000 --- a/salt/elasticsearch/templates/so/so-okta-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %} -{ - "index_patterns": ["so-okta-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/so/so-osquery-template.json.jinja deleted file mode 100644 index 47cb3ebab..000000000 --- a/salt/elasticsearch/templates/so/so-osquery-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %} -{ - "index_patterns": ["so-osquery-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/so/so-ossec-template.json.jinja deleted file mode 100644 index ce903e228..000000000 --- a/salt/elasticsearch/templates/so/so-ossec-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %} -{ - "index_patterns": ["so-ossec-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja deleted file mode 100644 index d7b0ecbe2..000000000 --- a/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %} -{ - "index_patterns": ["so-proofpoint-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/so/so-radware-template.json.jinja deleted file mode 100644 index 4efef6a4f..000000000 --- a/salt/elasticsearch/templates/so/so-radware-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %} -{ - "index_patterns": ["so-radware-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/so/so-redis-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-redis-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/so/so-snort-template.json.jinja deleted file mode 100644 index 325f86bde..000000000 --- a/salt/elasticsearch/templates/so/so-snort-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %} -{ - "index_patterns": ["so-snort-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/so/so-snyk-template.json.jinja deleted file mode 100644 index 0c2d291cc..000000000 --- a/salt/elasticsearch/templates/so/so-snyk-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %} -{ - "index_patterns": ["so-snyk-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja deleted file mode 100644 index b912e4d66..000000000 --- a/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %} -{ - "index_patterns": ["so-sonicwall-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/so/so-sophos-template.json.jinja deleted file mode 100644 index 689e19999..000000000 --- a/salt/elasticsearch/templates/so/so-sophos-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %} -{ - "index_patterns": ["so-sophos-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/so/so-squid-template.json.jinja deleted file mode 100644 index 9398b8a99..000000000 --- a/salt/elasticsearch/templates/so/so-squid-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %} -{ - "index_patterns": ["so-squid-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/so/so-strelka-template.json.jinja deleted file mode 100644 index 2f7db541a..000000000 --- a/salt/elasticsearch/templates/so/so-strelka-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %} -{ - "index_patterns": ["so-strelka-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/so/so-syslog-template.json.jinja deleted file mode 100644 index 47f8d78e6..000000000 --- a/salt/elasticsearch/templates/so/so-syslog-template.json.jinja +++ /dev/null @@ -1,14 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %} -{ - "index_patterns": ["so-syslog-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} - diff --git a/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja deleted file mode 100644 index 797e71bcf..000000000 --- a/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %} -{ - "index_patterns": ["so-tomcat-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/so/so-zeek-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-zeek-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja deleted file mode 100644 index 01d1cab2d..000000000 --- a/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %} -{ - "index_patterns": ["so-zscaler-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index e4e112603..f3bcaa308 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -47,11 +47,24 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then echo fi -cd ${ELASTICSEARCH_TEMPLATES} +cd ${ELASTICSEARCH_TEMPLATES}/component/ecs +echo "Loading ECS component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_component_template/$TEMPLATE-mappings -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +echo -echo "Loading templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +# Load SO-specific component templates +cd ${ELASTICSEARCH_TEMPLATES}/component/so + +echo "Loading Security Onion component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_component_template/$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +echo + +# Load SO index templates +cd ${ELASTICSEARCH_TEMPLATES}/index + +echo "Loading Security Onion index templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_index_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done echo cd - >/dev/null diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 1712da48b..98db07fa5 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.16.3","id": "7.16.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.0","id": "7.17.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 670dcf49e..772a97e17 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-zeek" - template_name => "so-zeek" - template => "/templates/so-zeek-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 1ebaa1082..58a78c08a 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-import" - template_name => "so-import" - template => "/templates/so-import-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index affa32d1a..88fe0d2b7 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-flow" - template_name => "so-flow" - template => "/templates/so-flow-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index ea603b016..5ce7ee343 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ids" - template_name => "so-ids" - template => "/templates/so-ids-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index ab8508bf3..b222ec2e1 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-syslog" - template_name => "so-syslog" - template => "/templates/so-syslog-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index f8a9b25af..ef460d463 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -16,9 +16,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-%{[event][module]}-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index b997ea7be..745ebeb19 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-osquery" - template_name => "so-osquery" - template => "/templates/so-osquery-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja index fce35b5a4..aa4af89fd 100644 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja @@ -37,9 +37,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-osquery" - template_name => "so-osquery" - template => "/templates/so-osquery-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index e82dbb4f8..f6b8d4098 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-firewall" - template_name => "so-firewall" - template => "/templates/so-firewall-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 34e2bab7c..598e9c741 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -15,8 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ids" - template_name => "so-ids" - template => "/templates/so-ids-template.json" ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 869b6d553..03326a320 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -16,9 +16,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-beats" - template_name => "so-beats" - template => "/templates/so-beats-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false document_id => "%{[metadata][_id]}" @@ -32,9 +29,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-beats" - template_name => "so-beats" - template => "/templates/so-beats-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 6e03d8c72..4555fb8bb 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ossec" - template_name => "so-ossec" - template => "/templates/so-ossec-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 007f1370e..09a677d1f 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-strelka" - template_name => "so-strelka" - template => "/templates/so-strelka-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja index 86944d155..8bfa166c4 100644 --- a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja +++ b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja @@ -17,9 +17,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-logscan" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf index 1b7f05e04..1f1f53754 100644 --- a/salt/manager/files/acng/acng.conf +++ b/salt/manager/files/acng/acng.conf @@ -80,7 +80,7 @@ RedirMax: 6 VfileUseRangeOps: -1 # PassThroughPattern: private-ppa\.launchpad\.net:443$ # PassThroughPattern: .* # this would allow CONNECT to everything -PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/ +PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|repo\.saltproject\.io:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/ # ResponseFreezeDetectTime: 500 # ReuseConnections: 1 # PipelineDepth: 255 diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 0958c0db1..7ac6687e1 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -23,7 +23,7 @@ include: {% else %} include: - ca.dirs - {% set x509dict = salt['mine.get'](manager~'*', 'x509.get_pem_entries') %} + {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} {% for host in x509dict %} {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index 2c416fd2c..66765c38a 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -34,7 +34,7 @@ GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit -HOSTNAME=distributed-manager +HOSTNAME=Distributed-manager install_type=MANAGER INTERWEBS=AIRGAP # LSINPUTBATCHCOUNT= diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor index dea80f8e0..597cbd1d5 100644 --- a/setup/automation/distributed-airgap-sensor +++ b/setup/automation/distributed-airgap-sensor @@ -34,7 +34,7 @@ ZEEKVERSION=ZEEK # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit -HOSTNAME=distributed-sensor +HOSTNAME=Distributed-sensor install_type=SENSOR # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= diff --git a/sigs/securityonion-2.3.100-20220202.iso.sig b/sigs/securityonion-2.3.100-20220202.iso.sig new file mode 100644 index 000000000..228dafb16 Binary files /dev/null and b/sigs/securityonion-2.3.100-20220202.iso.sig differ diff --git a/sigs/securityonion-2.3.100-20220203.iso.sig b/sigs/securityonion-2.3.100-20220203.iso.sig new file mode 100644 index 000000000..296efd987 Binary files /dev/null and b/sigs/securityonion-2.3.100-20220203.iso.sig differ