From 9db1510b0e4a1608246b512a035520523387413c Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Feb 2022 02:08:31 +0000 Subject: [PATCH 01/40] Initial composable template configuration and base mappings --- salt/elasticsearch/defaults.yaml | 2 +- salt/elasticsearch/init.sls | 17 +- .../templates/component/ecs/agent.json | 44 + .../templates/component/ecs/base.json | 25 + .../templates/component/ecs/client.json | 187 ++ .../templates/component/ecs/cloud.json | 80 + .../templates/component/ecs/container.json | 43 + .../templates/component/ecs/data_stream.json | 25 + .../templates/component/ecs/destination.json | 187 ++ .../templates/component/ecs/dll.json | 116 + .../templates/component/ecs/dns.json | 91 + .../templates/component/ecs/ecs.json | 20 + .../templates/component/ecs/error.json | 39 + .../templates/component/ecs/event.json | 112 + .../templates/component/ecs/file.json | 424 +++ .../templates/component/ecs/group.json | 28 + .../templates/component/ecs/host.json | 247 ++ .../templates/component/ecs/http.json | 87 + .../templates/component/ecs/log.json | 86 + .../templates/component/ecs/network.json | 86 + .../templates/component/ecs/observer.json | 214 ++ .../templates/component/ecs/orchestrator.json | 60 + .../templates/component/ecs/organization.json | 29 + .../templates/component/ecs/package.json | 66 + .../templates/component/ecs/process.json | 612 ++++ .../templates/component/ecs/registry.json | 47 + .../templates/component/ecs/related.json | 31 + .../templates/component/ecs/rule.json | 56 + .../templates/component/ecs/server.json | 187 ++ .../templates/component/ecs/service.json | 56 + .../templates/component/ecs/source.json | 187 ++ .../templates/component/ecs/threat.json | 1650 +++++++++ .../templates/component/ecs/tls.json | 354 ++ .../templates/component/ecs/tracing.json | 36 + .../templates/component/ecs/url.json | 78 + .../templates/component/ecs/user.json | 244 ++ .../templates/component/ecs/user_agent.json | 83 + .../component/ecs/vulnerability.json | 78 + .../templates/component/so/case-mappings.json | 213 ++ .../templates/component/so/case-settings.json | 65 + .../component/so/common-dynamic-mappings.json | 56 + .../component/so/common-settings.json | 65 + .../templates/component/so/dtc-event-mappings | 127 + .../component/so/dtc-observer-mappings | 219 ++ .../custom/place_custom_template_in_local | 0 .../index/so/so-aws-template.json.jinja | 89 + .../index/so/so-azure-template.json.jinja | 89 + .../index/so/so-barracuda-template.json.jinja | 89 + .../index/so/so-beats-template.json.jinja | 89 + .../index/so/so-bluecoat-template.json.jinja | 89 + .../index/so/so-case-template.json.jinja | 53 + .../index/so/so-cef-template.json.jinja | 89 + .../so/so-checkpoint-template.json.jinja | 89 + .../index/so/so-cisco-template.json.jinja | 90 + .../index/so/so-common-template.json.jinja | 89 + .../index/so/so-cyberark-template.json.jinja | 89 + .../index/so/so-cylance-template.json.jinja | 89 + .../so/so-elasticsearch-template.json.jinja | 89 + .../index/so/so-endgame-template.json.jinja | 89 + .../index/so/so-f5-template.json.jinja | 89 + .../index/so/so-firewall-template.json.jinja | 89 + .../index/so/so-flow-template.json.jinja | 89 + .../index/so/so-fortinet-template.json.jinja | 89 + .../index/so/so-gcp-template.json.jinja | 89 + .../so-google_workspace-template.json.jinja | 89 + .../index/so/so-ids-template.json.jinja | 89 + .../index/so/so-imperva-template.json.jinja | 89 + .../index/so/so-import-template.json.jinja | 89 + .../index/so/so-infoblox-template.json.jinja | 89 + .../index/so/so-juniper-template.json.jinja | 89 + .../index/so/so-kibana-template.json.jinja | 89 + .../index/so/so-logstash-template.json.jinja | 89 + .../index/so/so-microsoft-template.json.jinja | 89 + .../index/so/so-misp-template.json.jinja | 89 + .../index/so/so-netflow-template.json.jinja | 89 + .../index/so/so-netscout-template.json.jinja | 89 + .../index/so/so-o365-template.json.jinja | 89 + .../index/so/so-okta-template.json.jinja | 89 + .../index/so/so-osquery-template.json.jinja | 89 + .../index/so/so-ossec-template.json.jinja | 89 + .../so/so-proofpoint-template.json.jinja | 89 + .../index/so/so-radware-template.json.jinja | 89 + .../index/so/so-redis-template.json.jinja | 89 + .../index/so/so-snort-template.json.jinja | 89 + .../index/so/so-snyk-template.json.jinja | 89 + .../index/so/so-sonicwall-template.json.jinja | 89 + .../index/so/so-sophos-template.json.jinja | 89 + .../index/so/so-squid-template.json.jinja | 89 + .../index/so/so-strelka-template.json.jinja | 89 + .../index/so/so-syslog-template.json.jinja | 89 + .../index/so/so-tomcat-template.json.jinja | 89 + .../index/so/so-zeek-template.json.jinja | 89 + .../index/so/so-zscaler-template.json.jinja | 89 + .../templates/so/so-aws-template.json.jinja | 13 - .../templates/so/so-azure-template.json.jinja | 13 - .../so/so-barracuda-template.json.jinja | 13 - .../templates/so/so-beats-template.json.jinja | 13 - .../so/so-bluecoat-template.json.jinja | 13 - .../templates/so/so-case-template.json.jinja | 226 -- .../templates/so/so-cef-template.json.jinja | 13 - .../so/so-checkpoint-template.json.jinja | 13 - .../templates/so/so-cisco-template.json.jinja | 13 - .../so/so-common-template.json.jinja | 702 ---- .../so/so-cyberark-template.json.jinja | 13 - .../so/so-cylance-template.json.jinja | 13 - .../so/so-elasticsearch-template.json.jinja | 13 - .../so/so-endgame-template.json.jinja | 2976 ----------------- .../templates/so/so-f5-template.json.jinja | 13 - .../so/so-firewall-template.json.jinja | 13 - .../templates/so/so-flow-template.json.jinja | 13 - .../so/so-fortinet-template.json.jinja | 13 - .../templates/so/so-gcp-template.json.jinja | 13 - .../so-google_workspace-template.json.jinja | 13 - .../templates/so/so-ids-template.json.jinja | 13 - .../so/so-imperva-template.json.jinja | 13 - .../so/so-import-template.json.jinja | 13 - .../so/so-infoblox-template.json.jinja | 13 - .../so/so-juniper-template.json.jinja | 13 - .../so/so-kibana-template.json.jinja | 13 - .../so/so-logstash-template.json.jinja | 13 - .../so/so-microsoft-template.json.jinja | 13 - .../templates/so/so-misp-template.json.jinja | 13 - .../so/so-netflow-template.json.jinja | 13 - .../so/so-netscout-template.json.jinja | 13 - .../templates/so/so-o365-template.json.jinja | 13 - .../templates/so/so-okta-template.json.jinja | 13 - .../so/so-osquery-template.json.jinja | 13 - .../templates/so/so-ossec-template.json.jinja | 13 - .../so/so-proofpoint-template.json.jinja | 13 - .../so/so-radware-template.json.jinja | 13 - .../templates/so/so-redis-template.json.jinja | 13 - .../templates/so/so-snort-template.json.jinja | 13 - .../templates/so/so-snyk-template.json.jinja | 13 - .../so/so-sonicwall-template.json.jinja | 13 - .../so/so-sophos-template.json.jinja | 13 - .../templates/so/so-squid-template.json.jinja | 13 - .../so/so-strelka-template.json.jinja | 13 - .../so/so-syslog-template.json.jinja | 14 - .../so/so-tomcat-template.json.jinja | 13 - .../templates/so/so-zeek-template.json.jinja | 13 - .../so/so-zscaler-template.json.jinja | 13 - .../sbin/so-elasticsearch-templates-load | 19 +- .../config/so/9000_output_zeek.conf.jinja | 3 - .../config/so/9002_output_import.conf.jinja | 3 - .../config/so/9004_output_flow.conf.jinja | 3 - .../config/so/9033_output_snort.conf.jinja | 3 - .../config/so/9034_output_syslog.conf.jinja | 3 - .../so/9050_output_filebeatmodules.conf.jinja | 3 - .../config/so/9100_output_osquery.conf.jinja | 3 - .../9101_output_osquery_livequery.conf.jinja | 3 - .../config/so/9200_output_firewall.conf.jinja | 3 - .../config/so/9400_output_suricata.conf.jinja | 2 - .../config/so/9500_output_beats.conf.jinja | 6 - .../config/so/9600_output_ossec.conf.jinja | 3 - .../config/so/9700_output_strelka.conf.jinja | 3 - .../config/so/9800_output_logscan.conf.jinja | 3 - 156 files changed, 11007 insertions(+), 4542 deletions(-) create mode 100644 salt/elasticsearch/templates/component/ecs/agent.json create mode 100644 salt/elasticsearch/templates/component/ecs/base.json create mode 100644 salt/elasticsearch/templates/component/ecs/client.json create mode 100644 salt/elasticsearch/templates/component/ecs/cloud.json create mode 100644 salt/elasticsearch/templates/component/ecs/container.json create mode 100644 salt/elasticsearch/templates/component/ecs/data_stream.json create mode 100644 salt/elasticsearch/templates/component/ecs/destination.json create mode 100644 salt/elasticsearch/templates/component/ecs/dll.json create mode 100644 salt/elasticsearch/templates/component/ecs/dns.json create mode 100644 salt/elasticsearch/templates/component/ecs/ecs.json create mode 100644 salt/elasticsearch/templates/component/ecs/error.json create mode 100644 salt/elasticsearch/templates/component/ecs/event.json create mode 100644 salt/elasticsearch/templates/component/ecs/file.json create mode 100644 salt/elasticsearch/templates/component/ecs/group.json create mode 100644 salt/elasticsearch/templates/component/ecs/host.json create mode 100644 salt/elasticsearch/templates/component/ecs/http.json create mode 100644 salt/elasticsearch/templates/component/ecs/log.json create mode 100644 salt/elasticsearch/templates/component/ecs/network.json create mode 100644 salt/elasticsearch/templates/component/ecs/observer.json create mode 100644 salt/elasticsearch/templates/component/ecs/orchestrator.json create mode 100644 salt/elasticsearch/templates/component/ecs/organization.json create mode 100644 salt/elasticsearch/templates/component/ecs/package.json create mode 100644 salt/elasticsearch/templates/component/ecs/process.json create mode 100644 salt/elasticsearch/templates/component/ecs/registry.json create mode 100644 salt/elasticsearch/templates/component/ecs/related.json create mode 100644 salt/elasticsearch/templates/component/ecs/rule.json create mode 100644 salt/elasticsearch/templates/component/ecs/server.json create mode 100644 salt/elasticsearch/templates/component/ecs/service.json create mode 100644 salt/elasticsearch/templates/component/ecs/source.json create mode 100644 salt/elasticsearch/templates/component/ecs/threat.json create mode 100644 salt/elasticsearch/templates/component/ecs/tls.json create mode 100644 salt/elasticsearch/templates/component/ecs/tracing.json create mode 100644 salt/elasticsearch/templates/component/ecs/url.json create mode 100644 salt/elasticsearch/templates/component/ecs/user.json create mode 100644 salt/elasticsearch/templates/component/ecs/user_agent.json create mode 100644 salt/elasticsearch/templates/component/ecs/vulnerability.json create mode 100644 salt/elasticsearch/templates/component/so/case-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/case-settings.json create mode 100644 salt/elasticsearch/templates/component/so/common-dynamic-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/common-settings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-event-mappings create mode 100644 salt/elasticsearch/templates/component/so/dtc-observer-mappings rename salt/elasticsearch/templates/{ => index}/custom/place_custom_template_in_local (100%) create mode 100644 salt/elasticsearch/templates/index/so/so-aws-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-azure-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-beats-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-case-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-cef-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-common-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-f5-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-flow-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-ids-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-import-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-misp-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-o365-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-okta-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-radware-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-redis-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-snort-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-squid-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja create mode 100644 salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-aws-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-azure-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-barracuda-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-beats-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-case-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-cef-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-cisco-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-common-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-cyberark-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-cylance-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-endgame-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-f5-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-firewall-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-flow-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-fortinet-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-gcp-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-ids-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-imperva-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-import-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-infoblox-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-juniper-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-kibana-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-logstash-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-microsoft-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-misp-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-netflow-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-netscout-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-o365-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-okta-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-osquery-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-ossec-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-radware-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-redis-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-snort-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-snyk-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-sophos-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-squid-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-strelka-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-syslog-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-tomcat-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-zeek-template.json.jinja delete mode 100644 salt/elasticsearch/templates/so/so-zscaler-template.json.jinja diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 737c1118e..bfeeadb20 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -55,7 +55,7 @@ elasticsearch: indices: query: bool: - max_clause_count: 1500 + max_clause_count: 3000 id_field_data: enabled: false logger: diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index ece110c8b..aa3c6cbd6 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -147,11 +147,13 @@ esingestdir: estemplatedir: file.directory: - - name: /opt/so/conf/elasticsearch/templates + - name: /opt/so/conf/elasticsearch/templates/index - user: 930 - group: 939 - makedirs: True + + esrolesdir: file.directory: - name: /opt/so/conf/elasticsearch/roles @@ -200,17 +202,24 @@ esyml: {% for TEMPLATE in TEMPLATES %} es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: file.managed: - - source: salt://elasticsearch/templates/{{TEMPLATE}} + - source: salt://elasticsearch/templates/index/{{TEMPLATE}} {% if 'jinja' in TEMPLATE.split('.')[-1] %} - - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} + - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} - template: jinja {% else %} - - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}} + - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}} {% endif %} - user: 930 - group: 939 {% endfor %} +escomponenttemplates: + file.recurse: + - name: /opt/so/conf/elasticsearch/templates/component + - source: salt://elasticsearch/templates/component + - user: 930 + - group: 939 + esroles: file.recurse: - source: salt://elasticsearch/roles/ diff --git a/salt/elasticsearch/templates/component/ecs/agent.json b/salt/elasticsearch/templates/component/ecs/agent.json new file mode 100644 index 000000000..4c7f8738e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/agent.json @@ -0,0 +1,44 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/base.json b/salt/elasticsearch/templates/component/ecs/base.json new file mode 100644 index 000000000..f409ed95a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/base.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/client.json b/salt/elasticsearch/templates/component/ecs/client.json new file mode 100644 index 000000000..7f5a2169e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/client.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/cloud.json b/salt/elasticsearch/templates/component/ecs/cloud.json new file mode 100644 index 000000000..f41ab4a8f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cloud.json @@ -0,0 +1,80 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/container.json b/salt/elasticsearch/templates/component/ecs/container.json new file mode 100644 index 000000000..bd5ce8113 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/container.json @@ -0,0 +1,43 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/data_stream.json b/salt/elasticsearch/templates/component/ecs/data_stream.json new file mode 100644 index 000000000..dfbfe3f51 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/data_stream.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/destination.json b/salt/elasticsearch/templates/component/ecs/destination.json new file mode 100644 index 000000000..4fac31200 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/destination.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/dll.json b/salt/elasticsearch/templates/component/ecs/dll.json new file mode 100644 index 000000000..84667a6b9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/dll.json @@ -0,0 +1,116 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/dns.json b/salt/elasticsearch/templates/component/ecs/dns.json new file mode 100644 index 000000000..321a061f5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/dns.json @@ -0,0 +1,91 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/ecs.json b/salt/elasticsearch/templates/component/ecs/ecs.json new file mode 100644 index 000000000..9abfcf61c --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/ecs.json @@ -0,0 +1,20 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/error.json b/salt/elasticsearch/templates/component/ecs/error.json new file mode 100644 index 000000000..c33f580ab --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/error.json @@ -0,0 +1,39 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "match_only_text" + }, + "stack_trace": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/event.json b/salt/elasticsearch/templates/component/ecs/event.json new file mode 100644 index 000000000..0d43760a2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/event.json @@ -0,0 +1,112 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/file.json b/salt/elasticsearch/templates/component/ecs/file.json new file mode 100644 index 000000000..6242cc324 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/file.json @@ -0,0 +1,424 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/group.json b/salt/elasticsearch/templates/component/ecs/group.json new file mode 100644 index 000000000..ed40b4d9f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/group.json @@ -0,0 +1,28 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/host.json b/salt/elasticsearch/templates/component/ecs/host.json new file mode 100644 index 000000000..cf69aad56 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/host.json @@ -0,0 +1,247 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/http.json b/salt/elasticsearch/templates/component/ecs/http.json new file mode 100644 index 000000000..d6164a191 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/http.json @@ -0,0 +1,87 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/log.json b/salt/elasticsearch/templates/component/ecs/log.json new file mode 100644 index 000000000..e79661b5e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/log.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/network.json b/salt/elasticsearch/templates/component/ecs/network.json new file mode 100644 index 000000000..c2e35efd0 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/network.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/observer.json b/salt/elasticsearch/templates/component/ecs/observer.json new file mode 100644 index 000000000..ecd3b1155 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/observer.json @@ -0,0 +1,214 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/orchestrator.json b/salt/elasticsearch/templates/component/ecs/orchestrator.json new file mode 100644 index 000000000..87f2af201 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/orchestrator.json @@ -0,0 +1,60 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/organization.json b/salt/elasticsearch/templates/component/ecs/organization.json new file mode 100644 index 000000000..b0ea050fa --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/organization.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/package.json b/salt/elasticsearch/templates/component/ecs/package.json new file mode 100644 index 000000000..b726f8f7f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/package.json @@ -0,0 +1,66 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/process.json b/salt/elasticsearch/templates/component/ecs/process.json new file mode 100644 index 000000000..a95fe6bba --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/process.json @@ -0,0 +1,612 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/registry.json b/salt/elasticsearch/templates/component/ecs/registry.json new file mode 100644 index 000000000..7cfa34ad6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/registry.json @@ -0,0 +1,47 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/related.json b/salt/elasticsearch/templates/component/ecs/related.json new file mode 100644 index 000000000..1af1593c8 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/related.json @@ -0,0 +1,31 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/rule.json b/salt/elasticsearch/templates/component/ecs/rule.json new file mode 100644 index 000000000..400c64f6d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/rule.json @@ -0,0 +1,56 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/server.json b/salt/elasticsearch/templates/component/ecs/server.json new file mode 100644 index 000000000..a7587e954 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/server.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/service.json b/salt/elasticsearch/templates/component/ecs/service.json new file mode 100644 index 000000000..2fbdad6d4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/service.json @@ -0,0 +1,56 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/source.json b/salt/elasticsearch/templates/component/ecs/source.json new file mode 100644 index 000000000..9408e0133 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/source.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/threat.json b/salt/elasticsearch/templates/component/ecs/threat.json new file mode 100644 index 000000000..4bed345e1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/threat.json @@ -0,0 +1,1650 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/tls.json b/salt/elasticsearch/templates/component/ecs/tls.json new file mode 100644 index 000000000..413f217ad --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/tls.json @@ -0,0 +1,354 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/tracing.json b/salt/elasticsearch/templates/component/ecs/tracing.json new file mode 100644 index 000000000..7db45e4a2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/tracing.json @@ -0,0 +1,36 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/url.json b/salt/elasticsearch/templates/component/ecs/url.json new file mode 100644 index 000000000..efdaed1fb --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/url.json @@ -0,0 +1,78 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/user.json b/salt/elasticsearch/templates/component/ecs/user.json new file mode 100644 index 000000000..1ad4bac67 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/user.json @@ -0,0 +1,244 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/user_agent.json b/salt/elasticsearch/templates/component/ecs/user_agent.json new file mode 100644 index 000000000..9a0517e6d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/user_agent.json @@ -0,0 +1,83 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/vulnerability.json b/salt/elasticsearch/templates/component/ecs/vulnerability.json new file mode 100644 index 000000000..d7d8db4d6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/vulnerability.json @@ -0,0 +1,78 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/so/case-mappings.json b/salt/elasticsearch/templates/component/so/case-mappings.json new file mode 100644 index 000000000..aef586459 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/case-mappings.json @@ -0,0 +1,213 @@ + { + "template": { + "mappings": { + "properties": { + "so_audit_doc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_related": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fields": { + "eager_global_ordinals": false, + "ignore_above": 1024, + "index": true, + "type": "flattened", + "index_options": "docs", + "split_queries_on_whitespace": false, + "doc_values": true + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "so_artifactstream": { + "properties": { + "createTime": { + "type": "date" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "content": { + "type": "text" + } + } + }, + "so_comment": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "text" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_case": { + "properties": { + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "template": { + "ignore_above": 1024, + "type": "keyword" + }, + "completeTime": { + "type": "date" + }, + "description": { + "type": "text" + }, + "priority": { + "type": "long" + }, + "title": { + "type": "text" + }, + "assigneeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "pap": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_artifact": { + "properties": { + "artifactType": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamId": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamLength": { + "type": "long" + }, + "description": { + "type": "text" + }, + "mimeType": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "ioc": { + "type": "boolean" + }, + "value": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } +} diff --git a/salt/elasticsearch/templates/component/so/case-settings.json b/salt/elasticsearch/templates/component/so/case-settings.json new file mode 100644 index 000000000..3a4429926 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/case-settings.json @@ -0,0 +1,65 @@ +{ + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" + } + } + }, + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion Cases indices" + } +} diff --git a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json new file mode 100644 index 000000000..7ae4ae86c --- /dev/null +++ b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json @@ -0,0 +1,56 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [ + { + "ip_address": { + "path_match": "*.ip", + "mapping": { + "type": "ip", + "fields": { + "keyword": { + "ignore_above": 45, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + }, + { + "port": { + "path_match": "*.port", + "path_unmatch": "*.data.port", + "mapping": { + "type": "integer", + "fields": { + "keyword": { + "ignore_above": 6, + "type": "keyword" + } + } + } + } + }, + { + "strings": { + "mapping": { + "type": "text", + "fields": { + "security": { + "analyzer": "es_security_analyzer", + "type": "text" + }, + "keyword": { + "ignore_above": 32765, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + } + ] + } + } +} diff --git a/salt/elasticsearch/templates/component/so/common-settings.json b/salt/elasticsearch/templates/component/so/common-settings.json new file mode 100644 index 000000000..729ba3388 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/common-settings.json @@ -0,0 +1,65 @@ +{ + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" + } + } + }, + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion indices" + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings b/salt/elasticsearch/templates/component/so/dtc-event-mappings new file mode 100644 index 000000000..1b4798487 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings @@ -0,0 +1,127 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings b/salt/elasticsearch/templates/component/so/dtc-observer-mappings new file mode 100644 index 000000000..1168cd100 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings @@ -0,0 +1,219 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/custom/place_custom_template_in_local b/salt/elasticsearch/templates/index/custom/place_custom_template_in_local similarity index 100% rename from salt/elasticsearch/templates/custom/place_custom_template_in_local rename to salt/elasticsearch/templates/index/custom/place_custom_template_in_local diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja new file mode 100644 index 000000000..4217cb2b0 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-aws:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-aws:field_limit', 3000) %} +{ + "index_patterns": [ + "so-aws*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja new file mode 100644 index 000000000..a3d30e9b2 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-azure:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-azure:field_limit', 3000) %} +{ + "index_patterns": [ + "so-azure*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja new file mode 100644 index 000000000..4a7dfb7bd --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:field_limit', 3000) %} +{ + "index_patterns": [ + "so-barracuda*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja new file mode 100644 index 000000000..bb55bb52a --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-beats:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-beats:field_limit', 3000) %} +{ + "index_patterns": [ + "so-beats*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja new file mode 100644 index 000000000..c135b4173 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:field_limit', 3000) %} +{ + "index_patterns": [ + "so-bluecoat*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-case-template.json.jinja b/salt/elasticsearch/templates/index/so/so-case-template.json.jinja new file mode 100644 index 000000000..3e526979d --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-case-template.json.jinja @@ -0,0 +1,53 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-case:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-case:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-case:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-case:field_limit', 2000) %} +{ + "index_patterns": [ + "so-case*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "case-mappings", + "case-settings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes Cases fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja new file mode 100644 index 000000000..f76e79043 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cef:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cef:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cef*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja new file mode 100644 index 000000000..7a097e4dd --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:field_limit', 3000) %} +{ + "index_patterns": [ + "so-checkpoint*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja new file mode 100644 index 000000000..1e35a944e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja @@ -0,0 +1,90 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cisco:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cisco:field_limit', 3000) %} +{ + "index_templates": [ + { + "so-cisco*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-common-template.json.jinja b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja new file mode 100644 index 000000000..6560fb701 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-common:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-common:priority', 1) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-common:field_limit', 3000) %} +{ + "index_patterns": [ + "so-*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "sort.field": "@timestamp", + "sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja new file mode 100644 index 000000000..4f321448e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cyberark*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja new file mode 100644 index 000000000..f2baf8883 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cylance:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cylance:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cylance*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja new file mode 100644 index 000000000..8308393e9 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:field_limit', 3000) %} +{ + "index_patterns": [ + "so-elasticsearch*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja new file mode 100644 index 000000000..dfc1a1940 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-endgame:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-endgame:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-endgame:field_limit', 3000) %} +{ + "index_patterns": [ + "so-endgame*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja new file mode 100644 index 000000000..02077b4cd --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-f5:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-f5:field_limit', 3000) %} +{ + "index_patterns": [ + "so-f5*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja new file mode 100644 index 000000000..a809cd024 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-firewall:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-firewall:field_limit', 3000) %} +{ + "index_patterns": [ + "so-firewall*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja new file mode 100644 index 000000000..773eaf059 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-flow:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-flow:field_limit', 3000) %} +{ + "index_patterns": [ + "so-flow*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja new file mode 100644 index 000000000..1595c840e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:field_limit', 3000) %} +{ + "index_patterns": [ + "so-fortinet*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja new file mode 100644 index 000000000..bb0671aa0 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-gcp:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-gcp:field_limit', 3000) %} +{ + "index_patterns": [ + "so-gcp*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja new file mode 100644 index 000000000..eca2e3278 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:field_limit', 3000) %} +{ + "index_patterns": [ + "so-google_workspace*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja new file mode 100644 index 000000000..b15f6e2ac --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ids:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ids:field_limit', 3000) %} +{ + "index_patterns": [ + "so-ids*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja new file mode 100644 index 000000000..00ae35827 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-imperva:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-imperva:field_limit', 3000) %} +{ + "index_patterns": [ + "so-imperva*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja new file mode 100644 index 000000000..d171b1a88 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-import:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-import:field_limit', 3000) %} +{ + "index_patterns": [ + "so-import*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja new file mode 100644 index 000000000..d39781e60 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:field_limit', 3000) %} +{ + "index_patterns": [ + "so-infoblox*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja new file mode 100644 index 000000000..75ba13aa8 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-juniper:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-juniper:field_limit', 3000) %} +{ + "index_patterns": [ + "so-juniper*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja new file mode 100644 index 000000000..45a957b3a --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-kibana:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-kibana:field_limit', 3000) %} +{ + "index_patterns": [ + "so-kibana*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja new file mode 100644 index 000000000..dd155df43 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-logstash:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-logstash:field_limit', 3000) %} +{ + "index_patterns": [ + "so-logstash*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja new file mode 100644 index 000000000..c12ec77b3 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:field_limit', 3000) %} +{ + "index_patterns": [ + "so-microsoft*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja new file mode 100644 index 000000000..d4b014be4 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-misp:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-misp:field_limit', 3000) %} +{ + "index_patterns": [ + "so-misp*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja new file mode 100644 index 000000000..ca53ce81b --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netflow:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netflow:field_limit', 3000) %} +{ + "index_patterns": [ + "so-netflow*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja new file mode 100644 index 000000000..eb54157e3 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netscout:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netscout:field_limit', 3000) %} +{ + "index_patterns": [ + "so-netscout*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja new file mode 100644 index 000000000..9be552c41 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-o365:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-o365:field_limit', 3000) %} +{ + "index_patterns": [ + "so-o365*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja new file mode 100644 index 000000000..484882b1a --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-okta:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-okta:field_limit', 3000) %} +{ + "index_patterns": [ + "so-okta*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja new file mode 100644 index 000000000..12124590e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-osquery:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-osquery:field_limit', 3000) %} +{ + "index_patterns": [ + "so-osquery*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja new file mode 100644 index 000000000..4eacd09ae --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ossec:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ossec:field_limit', 3000) %} +{ + "index_patterns": [ + "so-ossec*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja new file mode 100644 index 000000000..34a1b3a0c --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:field_limit', 3000) %} +{ + "index_patterns": [ + "so-proofpoint*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja new file mode 100644 index 000000000..015051b5e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-radware:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-radware:field_limit', 3000) %} +{ + "index_patterns": [ + "so-radware*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja new file mode 100644 index 000000000..428b68746 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-redis:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-redis:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-redis:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-redis:field_limit', 3000) %} +{ + "index_patterns": [ + "so-redis*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja new file mode 100644 index 000000000..833534a84 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snort:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snort:field_limit', 3000) %} +{ + "index_patterns": [ + "so-snort*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja new file mode 100644 index 000000000..bfd6ce8aa --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snyk:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snyk:field_limit', 3000) %} +{ + "index_patterns": [ + "so-snyk*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja new file mode 100644 index 000000000..bf3d96a16 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja @@ -0,0 +1,89 @@ +i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:field_limit', 3000) %} +{ + "index_patterns": [ + "so-sonicwall*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja new file mode 100644 index 000000000..733b9adf6 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sophos:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sophos:field_limit', 3000) %} +{ + "index_patterns": [ + "so-sophos*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja new file mode 100644 index 000000000..ed7e74be8 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-squid:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-squid:field_limit', 3000) %} +{ + "index_patterns": [ + "so-squid*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja new file mode 100644 index 000000000..c66ac0db6 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-strelka:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-strelka:field_limit', 3000) %} +{ + "index_patterns": [ + "so-strelka*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja new file mode 100644 index 000000000..eb14b1a98 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-syslog:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-syslog:field_limit', 3000) %} +{ + "index_patterns": [ + "so-syslog*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja new file mode 100644 index 000000000..a98f06f56 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:field_limit', 3000) %} +{ + "index_patterns": [ + "so-tomcat*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja new file mode 100644 index 000000000..e2f6e0210 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zeek:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zeek:field_limit', 3000) %} +{ + "index_patterns": [ + "so-zeek*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja new file mode 100644 index 000000000..b26fda66a --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:field_limit', 3000) %} +{ + "index_patterns": [ + "so-zscaler*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/so/so-aws-template.json.jinja deleted file mode 100644 index 19b23dfba..000000000 --- a/salt/elasticsearch/templates/so/so-aws-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %} -{ - "index_patterns": ["so-aws-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/so/so-azure-template.json.jinja deleted file mode 100644 index 51a266479..000000000 --- a/salt/elasticsearch/templates/so/so-azure-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %} -{ - "index_patterns": ["so-azure-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja deleted file mode 100644 index 66967d6d1..000000000 --- a/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %} -{ - "index_patterns": ["so-barracuda-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/so/so-beats-template.json.jinja deleted file mode 100644 index 6d2cf7851..000000000 --- a/salt/elasticsearch/templates/so/so-beats-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %} -{ - "index_patterns": ["so-beats-*"], - "version": 50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja deleted file mode 100644 index b1714183e..000000000 --- a/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %} -{ - "index_patterns": ["so-bluecoat-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-case-template.json.jinja b/salt/elasticsearch/templates/so/so-case-template.json.jinja deleted file mode 100644 index a61bd21be..000000000 --- a/salt/elasticsearch/templates/so/so-case-template.json.jinja +++ /dev/null @@ -1,226 +0,0 @@ -{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} -{ - "index_patterns": ["so-case*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":1, - "index.refresh_interval":"{{ REFRESH }}", - "index.routing.allocation.require.box_type":"hot", - "index.mapping.total_fields.limit": "1500" - }, - "mappings": { - "_meta": { - "version": "1.5.0" - }, - "dynamic": false, - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "so_kind": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_operation": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_audit_doc_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_artifact": { - "properties": { - "artifactType": { - "type": "keyword", - "ignore_above": 1024 - }, - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "groupId": { - "type": "keyword", - "ignore_above": 1024 - }, - "groupType": { - "type": "keyword", - "ignore_above": 1024 - }, - "ioc": { - "type": "boolean" - }, - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "mimeType": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "streamId": { - "type": "keyword", - "ignore_above": 1024 - }, - "streamLength": { - "type": "long" - }, - "tags": { - "type": "keyword", - "ignore_above": 1024 - }, - "tlp": { - "type": "keyword", - "ignore_above": 1024 - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - }, - "value": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "so_artifactstream": { - "properties": { - "content": { - "type": "text" - }, - "createTime": { - "type": "date" - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_case": { - "properties": { - "assigneeId": { - "type": "keyword", - "ignore_above": 1024 - }, - "category": { - "type": "keyword", - "ignore_above": 1024 - }, - "completeTime": { - "type": "date" - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "pap": { - "type": "keyword", - "ignore_above": 1024 - }, - "priority": { - "type": "long" - }, - "severity": { - "type": "keyword", - "ignore_above": 1024 - }, - "startTime": { - "type": "date" - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "tags": { - "type": "keyword", - "ignore_above": 1024 - }, - "template": { - "type": "keyword", - "ignore_above": 1024 - }, - "title": { - "type": "text" - }, - "tlp": { - "type": "keyword", - "ignore_above": 1024 - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_comment": { - "properties": { - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_related": { - "properties": { - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "fields": { - "eager_global_ordinals": false, - "ignore_above": 1024, - "index": true, - "type": "flattened", - "index_options": "docs", - "split_queries_on_whitespace": false, - "doc_values": true - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/so/so-cef-template.json.jinja deleted file mode 100644 index 0081d42e1..000000000 --- a/salt/elasticsearch/templates/so/so-cef-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %} -{ - "index_patterns": ["so-cef-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja deleted file mode 100644 index 5d41946cf..000000000 --- a/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %} -{ - "index_patterns": ["so-checkpoint-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/so/so-cisco-template.json.jinja deleted file mode 100644 index e6e6d14d0..000000000 --- a/salt/elasticsearch/templates/so/so-cisco-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %} -{ - "index_patterns": ["so-cisco-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja deleted file mode 100644 index 4a41cba8a..000000000 --- a/salt/elasticsearch/templates/so/so-common-template.json.jinja +++ /dev/null @@ -1,702 +0,0 @@ -{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} -{ - "index_patterns": ["so-*"], - "version":50001, - "order":10, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":1, - "index.refresh_interval":"{{ REFRESH }}", - "index.routing.allocation.require.box_type":"hot", - "index.mapping.total_fields.limit": "1500", -{%- if INDEX_SORTING is sameas true %} - "index.sort.field": "@timestamp", - "index.sort.order": "desc", -{%- endif %} - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ "whitespace_no_way" ], - "filter": [ "lowercase", "trim" ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter" : { - "path_hierarchy_pattern_filter": { - "type" : "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - } - }, - "mappings":{ - "dynamic":false, - "date_detection":false, - "dynamic_templates": [ - { - "ip_address": { - "match_mapping_type": "string", - "path_match": "*.ip", - "mapping": { - "type": "ip", - "fields" : { - "keyword" : { - "ignore_above" : 45, - "type" : "keyword" - } - } - - } - } - }, - { - "port": { - "path_match": "*.port", - "path_unmatch": "*.data.port", - "mapping": { - "type": "integer", - "fields" : { - "keyword" : { - "ignore_above" : 6, - "type" : "keyword" - } - } - - } - } - }, - { - "strings": { - "match_mapping_type": "string", - "mapping": { - "type": "text", - "fields": { - "keyword": { - "ignore_above": 32765, - "type": "keyword" - }, - "security": { - "type": "text", - "analyzer": "es_security_analyzer" - } - } - } - } - }], - "properties":{ - "@timestamp":{ - "type":"date" - }, - "@version":{ - "type":"keyword" - }, - "osquery":{ - "type":"object", - "dynamic":true - }, - "geoip":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "destination_geo":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "source_geo":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "agent":{ - "type":"object", - "dynamic": true - }, - "as":{ - "type":"object", - "dynamic": true - }, - "alert":{ - "type":"object", - "dynamic": true - }, - "client":{ - "type":"object", - "dynamic": true - }, - "cloud":{ - "type":"object", - "dynamic": true - }, - "code_signature":{ - "type":"object", - "dynamic": true - }, - "connection":{ - "type":"object", - "dynamic": true - }, - "container":{ - "type":"object", - "dynamic": true - }, - "data":{ - "type":"object", - "dynamic": true - }, - "dce_rpc":{ - "type":"object", - "dynamic": true - }, - "destination":{ - "type":"object", - "dynamic": true - }, - "dhcp":{ - "type":"object", - "dynamic": true - }, - "dnp3":{ - "type":"object", - "dynamic": true - }, - "dns":{ - "type":"object", - "dynamic": true - }, - "dll":{ - "type":"object", - "dynamic": true - }, - "ecs":{ - "type":"object", - "dynamic": true - }, - "error":{ - "type":"object", - "dynamic": true - }, - "event":{ - "type":"object", - "dynamic": true - }, - "event_data":{ - "type":"object", - "dynamic": true - }, - "file":{ - "type":"object", - "dynamic": true - }, - "flow":{ - "type":"object", - "dynamic": true - }, - "ftp":{ - "type":"object", - "dynamic": true - }, - "geo":{ - "type":"object", - "dynamic": true - }, - "group":{ - "type":"object", - "dynamic": true - }, - "hash":{ - "type":"object", - "dynamic": true - }, - "host":{ - "type":"object", - "dynamic": true - }, - "http":{ - "type":"object", - "dynamic": true - }, - "import":{ - "type":"object", - "dynamic": true - }, - "ingest":{ - "type":"object", - "dynamic": true, - "properties":{ - "timestamp":{ - "type":"date" - } - } - }, - "intel":{ - "type":"object", - "dynamic": true, - "properties":{ - "indicator":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword" - } - } - } - } - }, - "interface":{ - "type":"object", - "dynamic": true - }, - "ip":{ - "type":"object", - "dynamic": true - }, - "irc":{ - "type":"object", - "dynamic": true - }, - "kerberos":{ - "type":"object", - "dynamic": true - }, - "log":{ - "type":"object", - "dynamic": true - }, - "logscan": { - "type": "object", - "dynamic": true - }, - "manager":{ - "type":"object", - "dynamic": true - }, - "message":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword", - "ignore_above": 32766 - } - } - }, - "modbus":{ - "type":"object", - "dynamic": true - }, - "mysql":{ - "type":"object", - "dynamic": true - }, - "network":{ - "type":"object", - "dynamic": true - }, - "notice":{ - "type":"object", - "dynamic": true - }, - "ntlm":{ - "type":"object", - "dynamic": true - }, - "observer":{ - "type":"object", - "dynamic": true - }, - "organization":{ - "type":"object", - "dynamic": true - }, - "os":{ - "type":"object", - "dynamic": true - }, - "package":{ - "type":"object", - "dynamic": true - }, - "pe":{ - "type":"object", - "dynamic": true - }, - "process":{ - "type":"object", - "dynamic": true - }, - "radius":{ - "type":"object", - "dynamic": true - }, - "rdp":{ - "type":"object", - "dynamic": true - }, - "registry":{ - "type":"object", - "dynamic": true - }, - "related":{ - "type":"object", - "dynamic": true - }, - "request":{ - "type":"object", - "dynamic": true - }, - "result":{ - "type":"object", - "dynamic": true - }, - "rfb":{ - "type":"object", - "dynamic": true - }, - "rule":{ - "type":"object", - "dynamic":true, - "properties":{ - "score":{ - "type":"long" - }, - "uuid":{ - "type":"keyword" - } - } - }, - "scan":{ - "type":"object", - "dynamic": true, - "properties":{ - "exiftool":{ - "type":"text" - } - } - }, - "server":{ - "type":"object", - "dynamic": true - }, - "service":{ - "type":"object", - "dynamic": true - }, - "sip":{ - "type":"object", - "dynamic": true - }, - "smb":{ - "type":"object", - "dynamic": true - }, - "smtp":{ - "type":"object", - "dynamic": true - }, - "snmp":{ - "type":"object", - "dynamic": true - }, - "socks":{ - "type":"object", - "dynamic": true - }, - "software":{ - "type":"object", - "dynamic": true - }, - "source":{ - "type":"object", - "dynamic": true - }, - "ssh":{ - "type":"object", - "dynamic": true - }, - "ssl":{ - "type":"object", - "dynamic": true - }, - "syslog":{ - "type":"object", - "dynamic": true - }, - "tags":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword" - } - } - }, - "threat":{ - "type":"object", - "dynamic": true - }, - "tls":{ - "type":"object", - "dynamic": true - }, - "trace":{ - "type":"object", - "dynamic": true - }, - "tunnel":{ - "type":"object", - "dynamic": true - }, - "user":{ - "type":"object", - "dynamic": true - }, - "user_agent":{ - "type":"object", - "dynamic": true - }, - "version":{ - "type":"object", - "dynamic": true - }, - "vlan":{ - "type":"object", - "dynamic": true - }, - "vulnerability":{ - "type":"object", - "dynamic": true - }, - "weird":{ - "type":"object", - "dynamic": true - }, - "winlog":{ - "type":"object", - "dynamic": true, - "properties":{ - "event_id":{ - "type":"long" - }, - "event_data":{ - "type":"object" - }, - "version":{ - "type":"long" - } - } - }, - "x509":{ - "type":"object", - "dynamic": true - }, - "suricata":{ - "type":"object", - "dynamic": true - }, - "zeek":{ - "type":"object", - "dynamic": true - }, - "aws":{ - "type":"object", - "dynamic": true - }, - "azure":{ - "type":"object", - "dynamic": true - }, - "barracuda":{ - "type":"object", - "dynamic": true - }, - "bluecoat":{ - "type":"object", - "dynamic": true - }, - "cef":{ - "type":"object", - "dynamic": true - }, - "checkpoint":{ - "type":"object", - "dynamic": true - }, - "cisco":{ - "type":"object", - "dynamic": true - }, - "cyberark":{ - "type":"object", - "dynamic": true - }, - "cylance":{ - "type":"object", - "dynamic": true - }, - "f5":{ - "type":"object", - "dynamic": true - }, - "fortinet":{ - "type":"object", - "dynamic": true - }, - "gcp":{ - "type":"object", - "dynamic": true - }, - "google_workspace":{ - "type":"object", - "dynamic": true - }, - "imperva":{ - "type":"object", - "dynamic": true - }, - "infoblox":{ - "type":"object", - "dynamic": true - }, - "juniper":{ - "type":"object", - "dynamic": true - }, - "microsoft":{ - "type":"object", - "dynamic": true - }, - "misp":{ - "type":"object", - "dynamic": true - }, - "netflow":{ - "type":"object", - "dynamic": true - }, - "netscout":{ - "type":"object", - "dynamic": true - }, - "o365":{ - "type":"object", - "dynamic": true - }, - "okta":{ - "type":"object", - "dynamic": true - }, - "proofpoint":{ - "type":"object", - "dynamic": true - }, - "radware":{ - "type":"object", - "dynamic": true - }, - "snort":{ - "type":"object", - "dynamic": true - }, - "snyk":{ - "type":"object", - "dynamic": true - }, - "sonicwall":{ - "type":"object", - "dynamic": true - }, - "sophos":{ - "type":"object", - "dynamic": true - }, - "squid":{ - "type":"object", - "dynamic": true - }, - "tomcat":{ - "type":"object", - "dynamic": true - }, - "zcaler":{ - "type":"object", - "dynamic": true - }, - "elasticsearch":{ - "type":"object", - "dynamic": true - }, - "kibana":{ - "type":"object", - "dynamic": true - }, - "logstash":{ - "type":"object", - "dynamic": true - }, - "redis":{ - "type":"object", - "dynamic": true - }, - "wazuh":{ - "type":"object", - "dynamic": true - } - } - } -} diff --git a/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja deleted file mode 100644 index 1647d600f..000000000 --- a/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %} -{ - "index_patterns": ["so-cyberark-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/so/so-cylance-template.json.jinja deleted file mode 100644 index 4ba7d0316..000000000 --- a/salt/elasticsearch/templates/so/so-cylance-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %} -{ - "index_patterns": ["so-cylance-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja deleted file mode 100644 index 16aaaec13..000000000 --- a/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %} -{ - "index_patterns": ["so-elasticsearch-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/so/so-endgame-template.json.jinja deleted file mode 100644 index 6d2b89b27..000000000 --- a/salt/elasticsearch/templates/so/so-endgame-template.json.jinja +++ /dev/null @@ -1,2976 +0,0 @@ -{ - "index_patterns": ["endgame-*"], - "version":50002, - "order":1, - "mappings": { - "_meta": { - "version": "1.5.0" - }, - "date_detection": false, - "dynamic_templates": [ - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "container": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "endgame": { - "dynamic": false, - "properties": { - "data": { - "properties": { - "malware_classification": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "quarantine_result": { - "properties": { - "local_msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "event_subtype_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "stack_trace": { - "doc_values": false, - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "integer" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - } - } - }, - "message": { - "norms": false, - "type": "text" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "dynamic": false, - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tags": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "keyword": { - "type": "keyword" - }, - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "winlog": { - "properties": { - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "type": "long" - }, - "logon": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "opcode": { - "type": "long" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "type": "long" - } - } - } - } - }, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "mapping": { - "ignore_malformed": true, - "total_fields": { - "limit": 10000 - } - }, - "number_of_shards": 5 - } - } -} diff --git a/salt/elasticsearch/templates/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/so/so-f5-template.json.jinja deleted file mode 100644 index 682a37c59..000000000 --- a/salt/elasticsearch/templates/so/so-f5-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %} -{ - "index_patterns": ["so-f5-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/so/so-firewall-template.json.jinja deleted file mode 100644 index 7bc81fd12..000000000 --- a/salt/elasticsearch/templates/so/so-firewall-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %} -{ - "index_patterns": ["so-firewall-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/so/so-flow-template.json.jinja deleted file mode 100644 index 6c8f2fa9f..000000000 --- a/salt/elasticsearch/templates/so/so-flow-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %} -{ - "index_patterns": ["so-flow-*"], - "version": 50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/so/so-gcp-template.json.jinja deleted file mode 100644 index 4f1db4f20..000000000 --- a/salt/elasticsearch/templates/so/so-gcp-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %} -{ - "index_patterns": ["so-gcp-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja deleted file mode 100644 index 5ae26780a..000000000 --- a/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %} -{ - "index_patterns": ["so-google_workspace-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/so/so-ids-template.json.jinja deleted file mode 100644 index abf37319a..000000000 --- a/salt/elasticsearch/templates/so/so-ids-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %} -{ - "index_patterns": ["so-ids-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/so/so-imperva-template.json.jinja deleted file mode 100644 index 1f574f33a..000000000 --- a/salt/elasticsearch/templates/so/so-imperva-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %} -{ - "index_patterns": ["so-imperva-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-import-template.json.jinja b/salt/elasticsearch/templates/so/so-import-template.json.jinja deleted file mode 100644 index e4d68235d..000000000 --- a/salt/elasticsearch/templates/so/so-import-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %} -{ - "index_patterns": ["so-import-*"], - "version":50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja deleted file mode 100644 index de613de7f..000000000 --- a/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %} -{ - "index_patterns": ["so-infoblox-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/so/so-juniper-template.json.jinja deleted file mode 100644 index f637271a9..000000000 --- a/salt/elasticsearch/templates/so/so-juniper-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %} -{ - "index_patterns": ["so-juniper-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/so/so-kibana-template.json.jinja deleted file mode 100644 index fe2004b0e..000000000 --- a/salt/elasticsearch/templates/so/so-kibana-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %} -{ - "index_patterns": ["so-kibana-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/so/so-logstash-template.json.jinja deleted file mode 100644 index 2cf0aba42..000000000 --- a/salt/elasticsearch/templates/so/so-logstash-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %} -{ - "index_patterns": ["so-logstash-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja deleted file mode 100644 index 3493ccbb2..000000000 --- a/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %} -{ - "index_patterns": ["so-microsoft-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/so/so-misp-template.json.jinja deleted file mode 100644 index 67af1efde..000000000 --- a/salt/elasticsearch/templates/so/so-misp-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %} -{ - "index_patterns": ["so-misp-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/so/so-netflow-template.json.jinja deleted file mode 100644 index 62c0972bf..000000000 --- a/salt/elasticsearch/templates/so/so-netflow-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %} -{ - "index_patterns": ["so-netflow-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/so/so-netscout-template.json.jinja deleted file mode 100644 index 1dfe336d9..000000000 --- a/salt/elasticsearch/templates/so/so-netscout-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %} -{ - "index_patterns": ["so-netscout-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/so/so-o365-template.json.jinja deleted file mode 100644 index c1f4826f4..000000000 --- a/salt/elasticsearch/templates/so/so-o365-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %} -{ - "index_patterns": ["so-o365-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/so/so-okta-template.json.jinja deleted file mode 100644 index a4f2df44e..000000000 --- a/salt/elasticsearch/templates/so/so-okta-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %} -{ - "index_patterns": ["so-okta-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/so/so-osquery-template.json.jinja deleted file mode 100644 index 47cb3ebab..000000000 --- a/salt/elasticsearch/templates/so/so-osquery-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %} -{ - "index_patterns": ["so-osquery-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/so/so-ossec-template.json.jinja deleted file mode 100644 index ce903e228..000000000 --- a/salt/elasticsearch/templates/so/so-ossec-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %} -{ - "index_patterns": ["so-ossec-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja deleted file mode 100644 index d7b0ecbe2..000000000 --- a/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %} -{ - "index_patterns": ["so-proofpoint-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/so/so-radware-template.json.jinja deleted file mode 100644 index 4efef6a4f..000000000 --- a/salt/elasticsearch/templates/so/so-radware-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %} -{ - "index_patterns": ["so-radware-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/so/so-redis-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-redis-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/so/so-snort-template.json.jinja deleted file mode 100644 index 325f86bde..000000000 --- a/salt/elasticsearch/templates/so/so-snort-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %} -{ - "index_patterns": ["so-snort-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/so/so-snyk-template.json.jinja deleted file mode 100644 index 0c2d291cc..000000000 --- a/salt/elasticsearch/templates/so/so-snyk-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %} -{ - "index_patterns": ["so-snyk-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja deleted file mode 100644 index b912e4d66..000000000 --- a/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %} -{ - "index_patterns": ["so-sonicwall-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/so/so-sophos-template.json.jinja deleted file mode 100644 index 689e19999..000000000 --- a/salt/elasticsearch/templates/so/so-sophos-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %} -{ - "index_patterns": ["so-sophos-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/so/so-squid-template.json.jinja deleted file mode 100644 index 9398b8a99..000000000 --- a/salt/elasticsearch/templates/so/so-squid-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %} -{ - "index_patterns": ["so-squid-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/so/so-strelka-template.json.jinja deleted file mode 100644 index 2f7db541a..000000000 --- a/salt/elasticsearch/templates/so/so-strelka-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %} -{ - "index_patterns": ["so-strelka-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/so/so-syslog-template.json.jinja deleted file mode 100644 index 47f8d78e6..000000000 --- a/salt/elasticsearch/templates/so/so-syslog-template.json.jinja +++ /dev/null @@ -1,14 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %} -{ - "index_patterns": ["so-syslog-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} - diff --git a/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja deleted file mode 100644 index 797e71bcf..000000000 --- a/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %} -{ - "index_patterns": ["so-tomcat-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/so/so-zeek-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-zeek-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja deleted file mode 100644 index 01d1cab2d..000000000 --- a/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %} -{ - "index_patterns": ["so-zscaler-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index e4e112603..f3bcaa308 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -47,11 +47,24 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then echo fi -cd ${ELASTICSEARCH_TEMPLATES} +cd ${ELASTICSEARCH_TEMPLATES}/component/ecs +echo "Loading ECS component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_component_template/$TEMPLATE-mappings -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +echo -echo "Loading templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +# Load SO-specific component templates +cd ${ELASTICSEARCH_TEMPLATES}/component/so + +echo "Loading Security Onion component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_component_template/$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +echo + +# Load SO index templates +cd ${ELASTICSEARCH_TEMPLATES}/index + +echo "Loading Security Onion index templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_index_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done echo cd - >/dev/null diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 670dcf49e..772a97e17 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-zeek" - template_name => "so-zeek" - template => "/templates/so-zeek-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 1ebaa1082..58a78c08a 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-import" - template_name => "so-import" - template => "/templates/so-import-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index affa32d1a..88fe0d2b7 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-flow" - template_name => "so-flow" - template => "/templates/so-flow-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index ea603b016..5ce7ee343 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ids" - template_name => "so-ids" - template => "/templates/so-ids-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index ab8508bf3..b222ec2e1 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-syslog" - template_name => "so-syslog" - template => "/templates/so-syslog-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index f8a9b25af..ef460d463 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -16,9 +16,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-%{[event][module]}-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index b997ea7be..745ebeb19 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-osquery" - template_name => "so-osquery" - template => "/templates/so-osquery-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja index fce35b5a4..aa4af89fd 100644 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja @@ -37,9 +37,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-osquery" - template_name => "so-osquery" - template => "/templates/so-osquery-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index e82dbb4f8..f6b8d4098 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-firewall" - template_name => "so-firewall" - template => "/templates/so-firewall-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 34e2bab7c..598e9c741 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -15,8 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ids" - template_name => "so-ids" - template => "/templates/so-ids-template.json" ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 869b6d553..03326a320 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -16,9 +16,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-beats" - template_name => "so-beats" - template => "/templates/so-beats-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false document_id => "%{[metadata][_id]}" @@ -32,9 +29,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-beats" - template_name => "so-beats" - template => "/templates/so-beats-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 6e03d8c72..4555fb8bb 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ossec" - template_name => "so-ossec" - template => "/templates/so-ossec-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 007f1370e..09a677d1f 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-strelka" - template_name => "so-strelka" - template => "/templates/so-strelka-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja index 86944d155..8bfa166c4 100644 --- a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja +++ b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja @@ -17,9 +17,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-logscan" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } From eaeed07fd4818d5b379404b8794b48296d2f6702 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Feb 2022 09:12:29 -0500 Subject: [PATCH 02/40] Update acng.conf --- salt/manager/files/acng/acng.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf index 1b7f05e04..1f1f53754 100644 --- a/salt/manager/files/acng/acng.conf +++ b/salt/manager/files/acng/acng.conf @@ -80,7 +80,7 @@ RedirMax: 6 VfileUseRangeOps: -1 # PassThroughPattern: private-ppa\.launchpad\.net:443$ # PassThroughPattern: .* # this would allow CONNECT to everything -PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/ +PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|repo\.saltproject\.io:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/ # ResponseFreezeDetectTime: 500 # ReuseConnections: 1 # PipelineDepth: 255 From a02fb37493f786e8d821e85d2bc78335392c52c5 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 2 Feb 2022 09:18:02 -0500 Subject: [PATCH 03/40] Update init.sls --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 0958c0db1..7ac6687e1 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -23,7 +23,7 @@ include: {% else %} include: - ca.dirs - {% set x509dict = salt['mine.get'](manager~'*', 'x509.get_pem_entries') %} + {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} {% for host in x509dict %} {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} From 8152aec22eac22fb573d9a1d8f05d2160f1a1d72 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Feb 2022 09:49:19 -0500 Subject: [PATCH 04/40] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 8b1378917..1ff12871f 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +20220202 From c5b5c5858ee827932bb7940e4cb221c2f470e884 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Feb 2022 14:31:46 -0500 Subject: [PATCH 05/40] Rename to prevent field conflict --- salt/elasticsearch/files/ingest/zeek.dns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index d0c07492e..533c63611 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -19,7 +19,7 @@ { "rename": { "field": "message2.RD", "target_field": "dns.recursion.desired", "ignore_missing": true } }, { "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } }, { "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } }, - { "rename": { "field": "message2.answers", "target_field": "dns.answers", "ignore_missing": true } }, + { "rename": { "field": "message2.answers", "target_field": "dns.answers.name", "ignore_missing": true } }, { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, From fc0824ceb03f56faf2a03c1e21e754a27e7e087c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Feb 2022 16:20:49 -0500 Subject: [PATCH 06/40] 2.3.100 Hotfix --- sigs/securityonion-2.3.100-20220202.iso.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/securityonion-2.3.100-20220202.iso.sig diff --git a/sigs/securityonion-2.3.100-20220202.iso.sig b/sigs/securityonion-2.3.100-20220202.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..228dafb16e078c5f5f9f7e830e1eafd31d515612 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;CEyN3V@2@re`V7LBIa1&lZ5BdVKp==x#DeGNSDm|%D z!egqN7oXL%XpVw3w)!zMKeT(y1-q)4!84At<9^L^>}H{85b8&jQAC>z4Oa^W+>B~J z;<2Q%M>lrTrE|;uq6-W!j9DjBVBCR&7rh(2X%_;qNzMq#VAZ;m=r!=(vRj3SHuHZz@%MwjBf5a}*Te1QoyChK^H8Y(%M+F{ zWP$xXxY79F*Nb@Tf3=y9ort>hUVouVbW^TFGW2;qGudc z%Rv$@=i#S6O6~~=uKGv@w%sv%KfO;`B3DZ5+BI~SHNBqtf~}EP0(7;XGel6${&6LS hi6?&h2PJ6De;|tEHwE3@K`9?vOz?JQ-qfvt-dO$I0Hgo_ literal 0 HcmV?d00001 From b94cae01767d84f63a2a006ca2022f798861a7a5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Feb 2022 16:22:44 -0500 Subject: [PATCH 07/40] 2.3.100 Hotfix --- VERIFY_ISO.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index b52c8c740..4f9d05bbd 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.100-20220131 ISO image built on 2022/01/31 +### 2.3.100-20220202 ISO image built on 2022/02/02 ### Download and Verify -2.3.100-20220131 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220131.iso +2.3.100-20220202 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220202.iso -MD5: 9B50774532B77A10E2F52A3F0492A780 -SHA1: 3C50D2EF4AFFFA8929492C2FC3842FF3EEE0EA5F -SHA256: CDCBEE6B1FDFB4CAF6C9F80CCADC161366EC337746E8394BF4454FAA2FC11AA1 +MD5: 170337342118DC32F8C2F687F332CA25 +SHA1: 202235BFE37F1F2E129F5D5DE13173A27A9D8CC0 +SHA256: F902C561D35F5B9DFB2D65BDAE97D30FD9E46F6822AFA36CA9C4043C50864484 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220131.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220202.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,26 +26,25 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220131.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220202.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220131.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220202.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.100-20220131.iso.sig securityonion-2.3.100-20220131.iso +gpg --verify securityonion-2.3.100-20220202.iso.sig securityonion-2.3.100-20220202.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 31 Jan 2022 11:41:30 AM EST using RSA key ID FE507013 +gpg: Signature made Wed 02 Feb 2022 12:12:39 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013 ``` Once you've verified the ISO image, you're ready to proceed to our Installation guide: From 83683ec27eeadf7c16db715f4f3247a5ba81d5c4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Feb 2022 16:23:51 -0500 Subject: [PATCH 08/40] 2.3.100 Hotfix --- VERIFY_ISO.md | 1 + 1 file changed, 1 insertion(+) diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 4f9d05bbd..6e1c7f9ed 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -45,6 +45,7 @@ gpg: Signature made Wed 02 Feb 2022 12:12:39 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013 ``` Once you've verified the ISO image, you're ready to proceed to our Installation guide: From d8a43015339625f470b60a2afc3c6683c90901c6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 3 Feb 2022 10:34:12 -0500 Subject: [PATCH 09/40] Update distributed-airgap-manager --- setup/automation/distributed-airgap-manager | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index 2c416fd2c..66765c38a 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -34,7 +34,7 @@ GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit -HOSTNAME=distributed-manager +HOSTNAME=Distributed-manager install_type=MANAGER INTERWEBS=AIRGAP # LSINPUTBATCHCOUNT= From 5c39162aefcf1ecf18d86aed7681ef2b8a5159d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 3 Feb 2022 10:34:55 -0500 Subject: [PATCH 10/40] Update distributed-airgap-sensor --- setup/automation/distributed-airgap-sensor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor index dea80f8e0..597cbd1d5 100644 --- a/setup/automation/distributed-airgap-sensor +++ b/setup/automation/distributed-airgap-sensor @@ -34,7 +34,7 @@ ZEEKVERSION=ZEEK # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit -HOSTNAME=distributed-sensor +HOSTNAME=Distributed-sensor install_type=SENSOR # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= From 797d76966178ab5ed439b14d2e4b62b1d4b640d9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 3 Feb 2022 10:36:18 -0500 Subject: [PATCH 11/40] use actual hostname in logstash:nodes pillar --- pillar/logstash/nodes.sls | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pillar/logstash/nodes.sls b/pillar/logstash/nodes.sls index 3658065cb..18c4b39bf 100644 --- a/pillar/logstash/nodes.sls +++ b/pillar/logstash/nodes.sls @@ -1,11 +1,13 @@ {% set node_types = {} %} +{% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %} {% for minionid, ip in salt.saltutil.runner( 'mine.get', tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ', fun='network.ip_addrs', - tgt_type='compound') | dictsort() + tgt_type='compound') | dictsort() %} -{% set hostname = minionid.split('_')[0] %} + +{% set hostname = cached_grains[minionid]['host'] %} {% set node_type = minionid.split('_')[1] %} {% if node_type not in node_types.keys() %} {% do node_types.update({node_type: {hostname: ip[0]}}) %} From 1ce386bb7f3d44c2d25011b6c80e12193b462216 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 3 Feb 2022 17:33:05 +0000 Subject: [PATCH 12/40] Add more DTC transition mappings --- .../component/so/dtc-agent-mappings.json | 49 ++ .../component/so/dtc-file-mappings.json | 434 ++++++++++++ .../component/so/dtc-host-mappings.json | 252 +++++++ .../component/so/dtc-process-mappings.json | 615 ++++++++++++++++++ .../component/so/dtc-rule-mappings.json | 66 ++ .../component/so/dtc-user-mappings.json | 244 +++++++ .../index/so/so-aws-template.json.jinja | 12 +- .../index/so/so-azure-template.json.jinja | 12 +- .../index/so/so-barracuda-template.json.jinja | 12 +- .../index/so/so-beats-template.json.jinja | 12 +- .../index/so/so-bluecoat-template.json.jinja | 12 +- .../index/so/so-cef-template.json.jinja | 12 +- .../so/so-checkpoint-template.json.jinja | 12 +- .../index/so/so-cisco-template.json.jinja | 12 +- .../index/so/so-common-template.json.jinja | 12 +- .../index/so/so-cyberark-template.json.jinja | 12 +- .../index/so/so-cylance-template.json.jinja | 12 +- .../so/so-elasticsearch-template.json.jinja | 12 +- .../index/so/so-endgame-template.json.jinja | 12 +- .../index/so/so-f5-template.json.jinja | 12 +- .../index/so/so-firewall-template.json.jinja | 12 +- .../index/so/so-flow-template.json.jinja | 12 +- .../index/so/so-fortinet-template.json.jinja | 12 +- .../index/so/so-gcp-template.json.jinja | 12 +- .../so-google_workspace-template.json.jinja | 12 +- .../index/so/so-ids-template.json.jinja | 12 +- .../index/so/so-imperva-template.json.jinja | 12 +- .../index/so/so-import-template.json.jinja | 12 +- .../index/so/so-infoblox-template.json.jinja | 12 +- .../index/so/so-juniper-template.json.jinja | 12 +- .../index/so/so-kibana-template.json.jinja | 12 +- .../index/so/so-logstash-template.json.jinja | 12 +- .../index/so/so-microsoft-template.json.jinja | 12 +- .../index/so/so-misp-template.json.jinja | 12 +- .../index/so/so-netflow-template.json.jinja | 12 +- .../index/so/so-netscout-template.json.jinja | 12 +- .../index/so/so-o365-template.json.jinja | 12 +- .../index/so/so-okta-template.json.jinja | 12 +- .../index/so/so-osquery-template.json.jinja | 12 +- .../index/so/so-ossec-template.json.jinja | 12 +- .../so/so-proofpoint-template.json.jinja | 12 +- .../index/so/so-radware-template.json.jinja | 12 +- .../index/so/so-redis-template.json.jinja | 12 +- .../index/so/so-snort-template.json.jinja | 12 +- .../index/so/so-snyk-template.json.jinja | 12 +- .../index/so/so-sonicwall-template.json.jinja | 12 +- .../index/so/so-sophos-template.json.jinja | 12 +- .../index/so/so-squid-template.json.jinja | 12 +- .../index/so/so-strelka-template.json.jinja | 12 +- .../index/so/so-syslog-template.json.jinja | 12 +- .../index/so/so-tomcat-template.json.jinja | 12 +- .../index/so/so-zeek-template.json.jinja | 12 +- .../index/so/so-zscaler-template.json.jinja | 12 +- 53 files changed, 1942 insertions(+), 282 deletions(-) create mode 100644 salt/elasticsearch/templates/component/so/dtc-agent-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-file-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-host-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-process-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-rule-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-user-mappings.json diff --git a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json new file mode 100644 index 000000000..def10f36f --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json @@ -0,0 +1,49 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json new file mode 100644 index 000000000..d0ed3b51a --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -0,0 +1,434 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json new file mode 100644 index 000000000..b0529ac41 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -0,0 +1,252 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json new file mode 100644 index 000000000..0b852e880 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -0,0 +1,615 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + }, + "keyword": { + "type": "keyword" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json new file mode 100644 index 000000000..02e25a09a --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json @@ -0,0 +1,66 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json new file mode 100644 index 000000000..1ad4bac67 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json @@ -0,0 +1,244 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja index 4217cb2b0..4c789c92e 100644 --- a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja index a3d30e9b2..ecd743aad 100644 --- a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja index 4a7dfb7bd..c837bf62d 100644 --- a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja index bb55bb52a..b6cffb84f 100644 --- a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja index c135b4173..76649708a 100644 --- a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja index f76e79043..e2fa1da6c 100644 --- a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja index 7a097e4dd..be5c96dd7 100644 --- a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja index 1e35a944e..160080d36 100644 --- a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja @@ -42,7 +42,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -54,9 +54,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -64,10 +64,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -76,7 +76,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-common-template.json.jinja b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja index 6560fb701..4320079d1 100644 --- a/salt/elasticsearch/templates/index/so/so-common-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja index 4f321448e..58e71e019 100644 --- a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja index f2baf8883..3c190d630 100644 --- a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja index 8308393e9..fcd6cd545 100644 --- a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja index dfc1a1940..1c18069a2 100644 --- a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja index 02077b4cd..c67c2212d 100644 --- a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja index a809cd024..9fb26ff72 100644 --- a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja index 773eaf059..b197ad437 100644 --- a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja index 1595c840e..37ab89ac6 100644 --- a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja index bb0671aa0..d783780b0 100644 --- a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja index eca2e3278..a9fd17880 100644 --- a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja index b15f6e2ac..2849d5350 100644 --- a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja index 00ae35827..245c9bb63 100644 --- a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja index d171b1a88..6f50952df 100644 --- a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja index d39781e60..155524441 100644 --- a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja index 75ba13aa8..4edeb9e9d 100644 --- a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja index 45a957b3a..45a01dfff 100644 --- a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja index dd155df43..ee3947713 100644 --- a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja index c12ec77b3..3588b34ec 100644 --- a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja index d4b014be4..ab2f64dd6 100644 --- a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja index ca53ce81b..5c82bd472 100644 --- a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja index eb54157e3..3551e7b58 100644 --- a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja index 9be552c41..7718989f2 100644 --- a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja index 484882b1a..7da380dba 100644 --- a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja index 12124590e..a4141d60c 100644 --- a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja index 4eacd09ae..aa1e8bad6 100644 --- a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja index 34a1b3a0c..e9b895471 100644 --- a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja index 015051b5e..50c99cd09 100644 --- a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja index 428b68746..971d5df57 100644 --- a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja index 833534a84..553539db0 100644 --- a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja index bfd6ce8aa..bd8eea0da 100644 --- a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja index bf3d96a16..cc90471a5 100644 --- a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja @@ -41,7 +41,7 @@ i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja index 733b9adf6..5350f814f 100644 --- a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja index ed7e74be8..6eb218c00 100644 --- a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja index c66ac0db6..8648e96d0 100644 --- a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja index eb14b1a98..5b6f3e286 100644 --- a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja index a98f06f56..e666532f5 100644 --- a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja index e2f6e0210..ba90a618f 100644 --- a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" diff --git a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja index b26fda66a..853e246c4 100644 --- a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja @@ -41,7 +41,7 @@ } }, "composed_of": [ - "agent-mappings", + "dtc-agent-mappings", "base-mappings", "client-mappings", "cloud-mappings", @@ -53,9 +53,9 @@ "ecs-mappings", "error-mappings", "dtc-event-mappings", - "file-mappings", + "dtc-file-mappings", "group-mappings", - "host-mappings", + "dtc-host-mappings", "http-mappings", "log-mappings", "network-mappings", @@ -63,10 +63,10 @@ "orchestrator-mappings", "organization-mappings", "package-mappings", - "process-mappings", + "dtc-process-mappings", "registry-mappings", "related-mappings", - "rule-mappings", + "dtc-rule-mappings", "server-mappings", "service-mappings", "source-mappings", @@ -75,7 +75,7 @@ "tracing-mappings", "url-mappings", "user_agent-mappings", - "user-mappings", + "dtc-user-mappings", "vulnerability-mappings", "common-settings", "common-dynamic-mappings" From 4f2952105e7efc4291f10fc39cd308ed23437e27 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 3 Feb 2022 15:06:18 -0500 Subject: [PATCH 13/40] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 1ff12871f..aa8e22a9c 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -20220202 +20220202 20220203 From b7732fb14a627fbc330754edcf27ad0f3d7e99a3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 3 Feb 2022 15:58:26 -0500 Subject: [PATCH 14/40] 2.3.100 Hotfix 2 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.100-20220203.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.100-20220203.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 6e1c7f9ed..376d4328f 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.100-20220202 ISO image built on 2022/02/02 +### 2.3.100-20220203 ISO image built on 2022/02/03 ### Download and Verify -2.3.100-20220202 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220202.iso +2.3.100-20220203 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220203.iso -MD5: 170337342118DC32F8C2F687F332CA25 -SHA1: 202235BFE37F1F2E129F5D5DE13173A27A9D8CC0 -SHA256: F902C561D35F5B9DFB2D65BDAE97D30FD9E46F6822AFA36CA9C4043C50864484 +MD5: 14705B2F2F9C973D944A4545449799C5 +SHA1: D73405BE3DE404DE19979B58DEA6F22F434E622D +SHA256: 3DD54ACBFDE0047A5EA238415F025ADB6D6AAFF53BEE084A602327CB3242B580 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220202.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220203.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220202.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220203.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220202.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220203.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.100-20220202.iso.sig securityonion-2.3.100-20220202.iso +gpg --verify securityonion-2.3.100-20220203.iso.sig securityonion-2.3.100-20220203.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 02 Feb 2022 12:12:39 PM EST using RSA key ID FE507013 +gpg: Signature made Thu 03 Feb 2022 03:35:03 PM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.100-20220203.iso.sig b/sigs/securityonion-2.3.100-20220203.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..296efd987e1fa38527e412cd9bde35e593469e45 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;CGJa+&J2@re`V7LBIa1+Tu5C2xyGf|yAh9R5+*84q@ zC#AG@TCn?PH<-4JvujiRi&(KNh5)KCPT`0jOC4PIbl1HJH+d;9$3<+Zp|;^{dPH>%s@~R8Vet(zISIt z9uNyqEepPMyq@;7b*SPgKzs3QE0xVa$-}0GqYVn~KW%;#Gq&8sRPLJ{~6J zJmVF42DVZCn4+SA8;sQ@2d8MsTA*C46L_)5vsP;eY~j;@{nB1_S3SBsb;VR#8?oPAPE z%8B}i8POr!pN(|%c*%6_A?+ud<)-_lfLvs7UrpAf!iWs)o4B{c%DfXlz5%(55M)L} h>M#(5>etjDHOmbhioa6L*-?T-1go*V1?ZWvP*OaI1MUC- literal 0 HcmV?d00001 From a3031b2b5ce27790b45a14a305b0399eb7937cd0 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 4 Feb 2022 15:38:51 +0000 Subject: [PATCH 15/40] Additional DTC mapping changes --- .../component/so/dtc-agent-mappings.json | 34 +- .../component/so/dtc-base-mappings.json | 29 + .../component/so/dtc-dns-mappings.json | 29 + .../component/so/dtc-ecs-mappings.json | 25 + .../component/so/dtc-event-mappings.json | 86 +++ .../component/so/dtc-file-mappings.json | 400 ------------ .../component/so/dtc-host-mappings.json | 226 +------ .../component/so/dtc-http-mappings.json | 38 ++ .../component/so/dtc-network-mappings.json | 34 + .../component/so/dtc-observer-mappings.json | 25 + .../component/so/dtc-process-mappings.json | 590 +----------------- .../component/so/dtc-rule-mappings.json | 32 - .../component/so/dtc-service-mappings.json | 34 + .../component/so/dtc-user-mappings.json | 226 +------ .../component/so/dtc-user_agent-mappings.json | 28 + .../component/so/so-file-mappings.json | 29 + .../index/so/so-aws-template.json.jinja | 14 + .../index/so/so-azure-template.json.jinja | 14 + .../index/so/so-barracuda-template.json.jinja | 14 + .../index/so/so-beats-template.json.jinja | 14 + .../index/so/so-bluecoat-template.json.jinja | 14 + .../index/so/so-cef-template.json.jinja | 14 + .../so/so-checkpoint-template.json.jinja | 14 + .../index/so/so-cisco-template.json.jinja | 14 + .../index/so/so-common-template.json.jinja | 16 + .../index/so/so-cyberark-template.json.jinja | 14 + .../index/so/so-cylance-template.json.jinja | 14 + .../so/so-elasticsearch-template.json.jinja | 14 + .../index/so/so-endgame-template.json.jinja | 14 + .../index/so/so-f5-template.json.jinja | 14 + .../index/so/so-firewall-template.json.jinja | 14 + .../index/so/so-flow-template.json.jinja | 14 + .../index/so/so-fortinet-template.json.jinja | 14 + .../index/so/so-gcp-template.json.jinja | 14 + .../so-google_workspace-template.json.jinja | 14 + .../index/so/so-ids-template.json.jinja | 14 + .../index/so/so-imperva-template.json.jinja | 14 + .../index/so/so-import-template.json.jinja | 14 + .../index/so/so-infoblox-template.json.jinja | 14 + .../index/so/so-juniper-template.json.jinja | 14 + .../index/so/so-kibana-template.json.jinja | 14 + .../index/so/so-logstash-template.json.jinja | 14 + .../index/so/so-microsoft-template.json.jinja | 14 + .../index/so/so-misp-template.json.jinja | 14 + .../index/so/so-netflow-template.json.jinja | 14 + .../index/so/so-netscout-template.json.jinja | 14 + .../index/so/so-o365-template.json.jinja | 14 + .../index/so/so-okta-template.json.jinja | 14 + .../index/so/so-osquery-template.json.jinja | 14 + .../index/so/so-ossec-template.json.jinja | 14 + .../so/so-proofpoint-template.json.jinja | 14 + .../index/so/so-radware-template.json.jinja | 14 + .../index/so/so-redis-template.json.jinja | 14 + .../index/so/so-snort-template.json.jinja | 14 + .../index/so/so-snyk-template.json.jinja | 14 + .../index/so/so-sonicwall-template.json.jinja | 14 + .../index/so/so-sophos-template.json.jinja | 14 + .../index/so/so-squid-template.json.jinja | 14 + .../index/so/so-strelka-template.json.jinja | 14 + .../index/so/so-syslog-template.json.jinja | 14 + .../index/so/so-tomcat-template.json.jinja | 14 + .../index/so/so-zeek-template.json.jinja | 14 + .../index/so/so-zscaler-template.json.jinja | 14 + 63 files changed, 1050 insertions(+), 1475 deletions(-) create mode 100644 salt/elasticsearch/templates/component/so/dtc-base-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-dns-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-event-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-http-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-network-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-observer-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-service-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/so-file-mappings.json diff --git a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json index def10f36f..60e344946 100644 --- a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json @@ -8,21 +8,23 @@ "properties": { "agent": { "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { "type": "keyword" } } }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } }, "name": { "ignore_above": 1024, @@ -35,11 +37,21 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } } } } diff --git a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json new file mode 100644 index 000000000..ff3b73792 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "message": { + "type": "match_only_text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json new file mode 100644 index 000000000..d5a498669 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json new file mode 100644 index 000000000..521d4944f --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json new file mode 100644 index 000000000..d3e577267 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "created": { + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "ingested": { + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json index d0ed3b51a..af090a0b0 100644 --- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -8,228 +8,6 @@ "properties": { "file": { "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, "mime_type": { "ignore_above": 1024, "type": "keyword", @@ -239,13 +17,6 @@ } } }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, "name": { "ignore_above": 1024, "type": "keyword", @@ -254,177 +25,6 @@ "type": "keyword" } } - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } } } } diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json index b0529ac41..064ce850c 100644 --- a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -8,102 +8,6 @@ "properties": { "host": { "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, "name": { "ignore_above": 1024, "type": "keyword", @@ -113,133 +17,11 @@ } } }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { + "mac": { "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json new file mode 100644 index 000000000..1b504900a --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json @@ -0,0 +1,38 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json new file mode 100644 index 000000000..b42fe9771 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json @@ -0,0 +1,34 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "network": { + "properties": { + "protocol": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "transport": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json new file mode 100644 index 000000000..bd7e7f3bd --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json index 0b852e880..688aec92c 100644 --- a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -8,49 +8,6 @@ "properties": { "process": { "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, "command_line": { "fields": { "text": { @@ -61,554 +18,9 @@ } }, "type": "wildcard" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "type": "wildcard" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" } } - } + } } } } diff --git a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json index 02e25a09a..d2df0127b 100644 --- a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json @@ -8,10 +8,6 @@ "properties": { "rule": { "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, "category": { "ignore_above": 1024, "type": "keyword", @@ -21,18 +17,6 @@ } } }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, "name": { "ignore_above": 1024, "type": "keyword", @@ -41,22 +25,6 @@ "type": "keyword" } } - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } } } diff --git a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json new file mode 100644 index 000000000..76bfc274b --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json @@ -0,0 +1,34 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json index 1ad4bac67..3d0c3086a 100644 --- a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json @@ -8,237 +8,21 @@ "properties": { "user": { "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, "name": { "fields": { "text": { "type": "match_only_text" - } + }, + "keyword": { + "type": "keyword" + } }, "ignore_above": 1024, "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json new file mode 100644 index 000000000..07f980203 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json @@ -0,0 +1,28 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user_agent": { + "properties": { + "original": { + "fields": { + "text": { + "type": "match_only_text" + }, + "keyword": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/so-file-mappings.json b/salt/elasticsearch/templates/component/so/so-file-mappings.json new file mode 100644 index 000000000..1b87b0915 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-file-mappings.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "flavors": { + "properties": { + "mime": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja index 4c789c92e..0e3415b5a 100644 --- a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja index ecd743aad..e709e5f33 100644 --- a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja index c837bf62d..98831543f 100644 --- a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja index b6cffb84f..e8390bc13 100644 --- a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja index 76649708a..aad678ff9 100644 --- a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja index e2fa1da6c..1cf37b31b 100644 --- a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja index be5c96dd7..d737ef586 100644 --- a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja index 160080d36..3a875f828 100644 --- a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja @@ -42,8 +42,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -51,31 +53,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-common-template.json.jinja b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja index 4320079d1..f549f6289 100644 --- a/salt/elasticsearch/templates/index/so/so-common-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,45 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", + "so-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja index 58e71e019..3c1836348 100644 --- a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja index 3c190d630..b0a8b045e 100644 --- a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja index fcd6cd545..3002429c9 100644 --- a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja index 1c18069a2..055f4628e 100644 --- a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja index c67c2212d..6638aa6a4 100644 --- a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja index 9fb26ff72..d0ec4a39a 100644 --- a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja index b197ad437..667ac0bc6 100644 --- a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja index 37ab89ac6..e60829ed1 100644 --- a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja index d783780b0..d9d2d0c4e 100644 --- a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja index a9fd17880..96c911197 100644 --- a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja index 2849d5350..4c59cad35 100644 --- a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja index 245c9bb63..a1e0faf9f 100644 --- a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja index 6f50952df..32cde3eac 100644 --- a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja index 155524441..9c76bb6e6 100644 --- a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja index 4edeb9e9d..cbd2efcfa 100644 --- a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja index 45a01dfff..2f89532b8 100644 --- a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja index ee3947713..bdf7b1b1c 100644 --- a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja index 3588b34ec..523a09251 100644 --- a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja index ab2f64dd6..0397f1a0a 100644 --- a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja index 5c82bd472..6a324016a 100644 --- a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja index 3551e7b58..704c0058d 100644 --- a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja index 7718989f2..31243829d 100644 --- a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja index 7da380dba..1fe0bd169 100644 --- a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja index a4141d60c..e6e0aaf2d 100644 --- a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja index aa1e8bad6..8441e0684 100644 --- a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja index e9b895471..0c2c70fd1 100644 --- a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja index 50c99cd09..cdfad7c16 100644 --- a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja index 971d5df57..39bf9946f 100644 --- a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja index 553539db0..b86ea153c 100644 --- a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja index bd8eea0da..54032f3f7 100644 --- a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja index cc90471a5..ea6d7abb9 100644 --- a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja @@ -41,8 +41,10 @@ i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja index 5350f814f..f89400f97 100644 --- a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja index 6eb218c00..3de2f1988 100644 --- a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja index 8648e96d0..535aa39eb 100644 --- a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja index 5b6f3e286..5d63335c5 100644 --- a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja index e666532f5..69087e65c 100644 --- a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja index ba90a618f..ebc5e4c9a 100644 --- a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", diff --git a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja index 853e246c4..c65c8ae85 100644 --- a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja @@ -41,8 +41,10 @@ } }, "composed_of": [ + "agent-mappings", "dtc-agent-mappings", "base-mappings", + "dtc-base-mappings", "client-mappings", "cloud-mappings", "container-mappings", @@ -50,31 +52,43 @@ "destination-mappings", "dll-mappings", "dns-mappings", + "dtc-dns-mappings", "ecs-mappings", + "dtc-ecs-mappings", "error-mappings", + "event-mappings", "dtc-event-mappings", "dtc-file-mappings", "group-mappings", + "host-mappings", "dtc-host-mappings", "http-mappings", + "dtc-http-mappings", "log-mappings", "network-mappings", + "dtc-network-mappings", + "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", + "process-mappings", "dtc-process-mappings", "registry-mappings", "related-mappings", + "rule-mappings", "dtc-rule-mappings", "server-mappings", "service-mappings", + "dtc-service-mappings", "source-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", "url-mappings", "user_agent-mappings", + "dtc-user_agent-mappings", + "user-mappings", "dtc-user-mappings", "vulnerability-mappings", "common-settings", From f3902cf77dfa1269622d7ae62d9a424385975175 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 4 Feb 2022 16:00:16 +0000 Subject: [PATCH 16/40] Fix EG template and mappings --- .../component/so/endgame-mappings.json | 53 +++++++++++++++++++ .../index/so/so-endgame-template.json.jinja | 5 +- 2 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 salt/elasticsearch/templates/component/so/endgame-mappings.json diff --git a/salt/elasticsearch/templates/component/so/endgame-mappings.json b/salt/elasticsearch/templates/component/so/endgame-mappings.json new file mode 100644 index 000000000..d32fb962d --- /dev/null +++ b/salt/elasticsearch/templates/component/so/endgame-mappings.json @@ -0,0 +1,53 @@ + { + "template": { + "mappings": { + "properties": { + "endgame": { + "dynamic": false, + "properties": { + "data": { + "properties": { + "malware_classification": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "quarantine_result": { + "properties": { + "local_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "event_subtype_full": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type_full": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } +} diff --git a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja index 055f4628e..6c8c86757 100644 --- a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja @@ -6,7 +6,7 @@ {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-endgame:field_limit', 3000) %} { "index_patterns": [ - "so-endgame*" + "endgame*" ], "template": { "mappings": { @@ -55,7 +55,8 @@ "dtc-dns-mappings", "ecs-mappings", "dtc-ecs-mappings", - "error-mappings", + "endgame-mappings", + "error-mappings", "event-mappings", "dtc-event-mappings", "dtc-file-mappings", From 69cb83cac95818898035a0d5e705c427e821b549 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 4 Feb 2022 17:08:26 +0000 Subject: [PATCH 17/40] Add winlog mappings --- .../templates/component/ecs/winlog.json | 603 ++++++++++++++++++ .../index/so/so-beats-template.json.jinja | 3 +- .../index/so/so-osquery-template.json.jinja | 3 +- .../index/so/so-ossec-template.json.jinja | 3 +- 4 files changed, 609 insertions(+), 3 deletions(-) create mode 100644 salt/elasticsearch/templates/component/ecs/winlog.json diff --git a/salt/elasticsearch/templates/component/ecs/winlog.json b/salt/elasticsearch/templates/component/ecs/winlog.json new file mode 100644 index 000000000..a724eefb1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/winlog.json @@ -0,0 +1,603 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "dynamic_templates": [ + { + "winlog.event_data": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "winlog.event_data.*" + } + }, + { + "winlog.user_data": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "winlog.user_data.*" + } + } + ], + "properties": { + "winlog": { + "properties": { + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "type": "date" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "type": "object" + }, + "version": { + "type": "long" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja index e8390bc13..acec9e771 100644 --- a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -92,7 +92,8 @@ "dtc-user-mappings", "vulnerability-mappings", "common-settings", - "common-dynamic-mappings" + "common-dynamic-mappings", + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja index e6e0aaf2d..b862db93f 100644 --- a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -92,7 +92,8 @@ "dtc-user-mappings", "vulnerability-mappings", "common-settings", - "common-dynamic-mappings" + "common-dynamic-mappings", + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja index 8441e0684..a3272d88f 100644 --- a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -92,7 +92,8 @@ "dtc-user-mappings", "vulnerability-mappings", "common-settings", - "common-dynamic-mappings" + "common-dynamic-mappings", + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { From 5e03b1a5de30ce30468fdc28cc19d9af31d61117 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 4 Feb 2022 18:11:03 +0000 Subject: [PATCH 18/40] Fix reference for file mappings in template --- .../templates/index/so/so-aws-template.json.jinja | 1 + .../templates/index/so/so-azure-template.json.jinja | 1 + .../templates/index/so/so-barracuda-template.json.jinja | 1 + .../templates/index/so/so-beats-template.json.jinja | 4 +++- .../templates/index/so/so-bluecoat-template.json.jinja | 1 + .../templates/index/so/so-cef-template.json.jinja | 1 + .../templates/index/so/so-checkpoint-template.json.jinja | 1 + .../templates/index/so/so-cisco-template.json.jinja | 1 + .../templates/index/so/so-cyberark-template.json.jinja | 1 + .../templates/index/so/so-cylance-template.json.jinja | 1 + .../templates/index/so/so-elasticsearch-template.json.jinja | 1 + .../templates/index/so/so-endgame-template.json.jinja | 3 ++- .../templates/index/so/so-f5-template.json.jinja | 1 + .../templates/index/so/so-firewall-template.json.jinja | 1 + .../templates/index/so/so-flow-template.json.jinja | 1 + .../templates/index/so/so-fortinet-template.json.jinja | 1 + .../templates/index/so/so-gcp-template.json.jinja | 1 + .../index/so/so-google_workspace-template.json.jinja | 1 + .../templates/index/so/so-ids-template.json.jinja | 1 + .../templates/index/so/so-imperva-template.json.jinja | 1 + .../templates/index/so/so-import-template.json.jinja | 1 + .../templates/index/so/so-infoblox-template.json.jinja | 1 + .../templates/index/so/so-juniper-template.json.jinja | 1 + .../templates/index/so/so-kibana-template.json.jinja | 1 + .../templates/index/so/so-logstash-template.json.jinja | 1 + .../templates/index/so/so-microsoft-template.json.jinja | 1 + .../templates/index/so/so-misp-template.json.jinja | 1 + .../templates/index/so/so-netflow-template.json.jinja | 1 + .../templates/index/so/so-netscout-template.json.jinja | 1 + .../templates/index/so/so-o365-template.json.jinja | 1 + .../templates/index/so/so-okta-template.json.jinja | 1 + .../templates/index/so/so-osquery-template.json.jinja | 4 +++- .../templates/index/so/so-ossec-template.json.jinja | 4 +++- .../templates/index/so/so-proofpoint-template.json.jinja | 1 + .../templates/index/so/so-radware-template.json.jinja | 1 + .../templates/index/so/so-redis-template.json.jinja | 1 + .../templates/index/so/so-snort-template.json.jinja | 1 + .../templates/index/so/so-snyk-template.json.jinja | 1 + .../templates/index/so/so-sonicwall-template.json.jinja | 1 + .../templates/index/so/so-sophos-template.json.jinja | 1 + .../templates/index/so/so-squid-template.json.jinja | 1 + .../templates/index/so/so-strelka-template.json.jinja | 2 ++ .../templates/index/so/so-syslog-template.json.jinja | 1 + .../templates/index/so/so-tomcat-template.json.jinja | 1 + .../templates/index/so/so-zeek-template.json.jinja | 1 + .../templates/index/so/so-zscaler-template.json.jinja | 1 + 46 files changed, 54 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja index 0e3415b5a..09e61fa8a 100644 --- a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja index e709e5f33..366acb167 100644 --- a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja index 98831543f..bde70c190 100644 --- a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja index acec9e771..54eb8dccb 100644 --- a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", @@ -93,7 +94,8 @@ "vulnerability-mappings", "common-settings", "common-dynamic-mappings", - "winlog-mappings" + "winlog-mappings", + "so-winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja index aad678ff9..e0b69f24d 100644 --- a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja index 1cf37b31b..c47d36875 100644 --- a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja index d737ef586..458c675ac 100644 --- a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja index 3a875f828..b506026f8 100644 --- a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja @@ -59,6 +59,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja index 3c1836348..d0e2802e5 100644 --- a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja index b0a8b045e..910fea825 100644 --- a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja index 3002429c9..ce6864398 100644 --- a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja index 6c8c86757..9de433b05 100644 --- a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja @@ -56,9 +56,10 @@ "ecs-mappings", "dtc-ecs-mappings", "endgame-mappings", - "error-mappings", + "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja index 6638aa6a4..6a558742f 100644 --- a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja index d0ec4a39a..cf489278e 100644 --- a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja index 667ac0bc6..1fb892487 100644 --- a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja index e60829ed1..00fa7be2a 100644 --- a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja index d9d2d0c4e..aa964a52d 100644 --- a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja index 96c911197..5816a94f3 100644 --- a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja index 4c59cad35..44c56645e 100644 --- a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja index a1e0faf9f..bdc399121 100644 --- a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja index 32cde3eac..d449009c9 100644 --- a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja index 9c76bb6e6..f8e070b25 100644 --- a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja index cbd2efcfa..1f2eca87c 100644 --- a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja index 2f89532b8..446b0f715 100644 --- a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja index bdf7b1b1c..983840f93 100644 --- a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja index 523a09251..6105b1e00 100644 --- a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja index 0397f1a0a..a2b2a0d63 100644 --- a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja index 6a324016a..470e86977 100644 --- a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja index 704c0058d..7670d5659 100644 --- a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja index 31243829d..c34cbbd37 100644 --- a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja index 1fe0bd169..e45a664d9 100644 --- a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja index b862db93f..63b239926 100644 --- a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", @@ -93,7 +94,8 @@ "vulnerability-mappings", "common-settings", "common-dynamic-mappings", - "winlog-mappings" + "winlog-mappings", + "so-winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja index a3272d88f..7ef475e45 100644 --- a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", @@ -93,7 +94,8 @@ "vulnerability-mappings", "common-settings", "common-dynamic-mappings", - "winlog-mappings" + "winlog-mappings", + "so-winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja index 0c2c70fd1..a75ebc600 100644 --- a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja index cdfad7c16..19b7081e1 100644 --- a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja index 39bf9946f..8eb44cb87 100644 --- a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja index b86ea153c..63b2506f0 100644 --- a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja index 54032f3f7..c22a6d9bd 100644 --- a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja index ea6d7abb9..f2b9c558d 100644 --- a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja @@ -58,6 +58,7 @@ i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja index f89400f97..1eda879fb 100644 --- a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja index 3de2f1988..3ec8fe067 100644 --- a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja index 535aa39eb..06783d3e8 100644 --- a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja @@ -58,7 +58,9 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", + "so-file-mappings", "group-mappings", "host-mappings", "dtc-host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja index 5d63335c5..af609836e 100644 --- a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja index 69087e65c..af48c7540 100644 --- a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja index ebc5e4c9a..a7a354936 100644 --- a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja index c65c8ae85..abb475b6f 100644 --- a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja @@ -58,6 +58,7 @@ "error-mappings", "event-mappings", "dtc-event-mappings", + "file-mappings", "dtc-file-mappings", "group-mappings", "host-mappings", From 1ce8bb352326fb00f793f380a397b4217c8d9b53 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 4 Feb 2022 18:14:01 +0000 Subject: [PATCH 19/40] Fix winlog mapping reference reversion --- .../templates/index/so/so-beats-template.json.jinja | 3 +-- .../templates/index/so/so-osquery-template.json.jinja | 3 +-- .../templates/index/so/so-ossec-template.json.jinja | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja index 54eb8dccb..5f935d65b 100644 --- a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -94,8 +94,7 @@ "vulnerability-mappings", "common-settings", "common-dynamic-mappings", - "winlog-mappings", - "so-winlog-mappings" + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja index 63b239926..a7459abc3 100644 --- a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -94,8 +94,7 @@ "vulnerability-mappings", "common-settings", "common-dynamic-mappings", - "winlog-mappings", - "so-winlog-mappings" + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja index 7ef475e45..3f78942c3 100644 --- a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -94,8 +94,7 @@ "vulnerability-mappings", "common-settings", "common-dynamic-mappings", - "winlog-mappings", - "so-winlog-mappings" + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { From 317f6471d8d00b3575fadd35d8fdf411458f3621 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 4 Feb 2022 19:05:09 +0000 Subject: [PATCH 20/40] Add additional scan and rule filset mappings --- .../component/so/so-rule-mappings.json | 19 ++++++++++++ .../component/so/so-scan-mappings.json | 31 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 salt/elasticsearch/templates/component/so/so-rule-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/so-scan-mappings.json diff --git a/salt/elasticsearch/templates/component/so/so-rule-mappings.json b/salt/elasticsearch/templates/component/so/so-rule-mappings.json new file mode 100644 index 000000000..00cea1bfe --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-rule-mappings.json @@ -0,0 +1,19 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "rule":{ + "properties":{ + "score":{ + "type":"long" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/so-scan-mappings.json b/salt/elasticsearch/templates/component/so/so-scan-mappings.json new file mode 100644 index 000000000..00d10f73b --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json @@ -0,0 +1,31 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "scan":{ + "type":"object", + "properties":{ + "exiftool":{ + "type":"text" + }, + "pe":{ + "properties":{ + "sections":{ + "properties":{ + "entropy":{ + "type": "float" + } + } + } + } + } + } + } + } + } + } +} From 23fbf140ba97eb5d88540d77695ef0c31e68b646 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Feb 2022 15:06:42 -0500 Subject: [PATCH 21/40] soup with dockers from iso --- salt/common/tools/sbin/soup | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 61b936f1a..65bac5b16 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1031,6 +1031,10 @@ main() { update_centos_repo yum clean all check_os_updates + # the -f optarg was used + elif [[ ! -z "$ISOLOC" ]]; then + airgap_mounted + airgap_update_dockers else update_registry set +e From 267ef354c28317179cdf2e51e021ab5fe8f2dc45 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Feb 2022 15:09:35 -0500 Subject: [PATCH 22/40] unmount iso after updating dockers --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 65bac5b16..a48f667fb 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1035,6 +1035,7 @@ main() { elif [[ ! -z "$ISOLOC" ]]; then airgap_mounted airgap_update_dockers + unmount_update else update_registry set +e From eb0696b425e1399535b6a7943b200a54c44012b6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Feb 2022 15:36:44 -0500 Subject: [PATCH 23/40] update dockers if -f used --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a48f667fb..4ea1cd82e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -158,7 +158,7 @@ EOF } airgap_update_dockers() { - if [[ $is_airgap -eq 0 ]]; then + if [[ $is_airgap -eq 0 ]] || [[ ! -z "$ISOLOC" ]]; then # Let's copy the tarball if [[ ! -f $AGDOCKER/registry.tar ]]; then echo "Unable to locate registry. Exiting" From 780aace854ae8dc87eb2015f4c92009191ee6b9f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Feb 2022 15:44:25 -0500 Subject: [PATCH 24/40] set AGDOCKER --- salt/common/tools/sbin/soup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 4ea1cd82e..994896cf4 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1031,9 +1031,10 @@ main() { update_centos_repo yum clean all check_os_updates - # the -f optarg was used + # the -f optarg was used and not airgap elif [[ ! -z "$ISOLOC" ]]; then airgap_mounted + AGDOCKER=/tmp/soagupdate/docker airgap_update_dockers unmount_update else From 7c31eb128830f368988221cc3a9d03362d580e8a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 4 Feb 2022 16:07:06 -0500 Subject: [PATCH 25/40] mount iso at different point --- salt/common/tools/sbin/soup | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 994896cf4..8e0b4782a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -976,6 +976,11 @@ main() { # Let's mount the ISO since this is airgap airgap_mounted else + # if not airgrap but -f was used + if [[ ! -z "$ISOLOC" ]]; then + airgap_mounted + AGDOCKER=/tmp/soagupdate/docker + fi echo "Cloning Security Onion github repo into $UPDATE_DIR." echo "Removing previous upgrade sources." rm -rf $UPDATE_DIR @@ -1031,10 +1036,8 @@ main() { update_centos_repo yum clean all check_os_updates - # the -f optarg was used and not airgap + # if not airgrap but -f was used elif [[ ! -z "$ISOLOC" ]]; then - airgap_mounted - AGDOCKER=/tmp/soagupdate/docker airgap_update_dockers unmount_update else From 7d09d1f7e26e4f063bc1a4f2208ffacbf0d5c098 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 7 Feb 2022 09:22:43 -0500 Subject: [PATCH 26/40] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8e0b4782a..ae3c1b641 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -976,7 +976,7 @@ main() { # Let's mount the ISO since this is airgap airgap_mounted else - # if not airgrap but -f was used + # if not airgap but -f was used if [[ ! -z "$ISOLOC" ]]; then airgap_mounted AGDOCKER=/tmp/soagupdate/docker From e0c0eba24e2f3cd3e43f7a4891428bf9312593d7 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 7 Feb 2022 09:23:30 -0500 Subject: [PATCH 27/40] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index ae3c1b641..347c10b81 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1036,7 +1036,7 @@ main() { update_centos_repo yum clean all check_os_updates - # if not airgrap but -f was used + # if not airgap but -f was used elif [[ ! -z "$ISOLOC" ]]; then airgap_update_dockers unmount_update From 50215c550bd56b3db8f5ede3710b5ea01df338a5 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 7 Feb 2022 14:31:42 +0000 Subject: [PATCH 28/40] Sort index listing alphabetically and add header (@gebhard73) --- salt/common/tools/sbin/so-elasticsearch-indices-list | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-list b/salt/common/tools/sbin/so-elasticsearch-indices-list index c6b661dbf..f7662f4e2 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-list +++ b/salt/common/tools/sbin/so-elasticsearch-indices-list @@ -18,4 +18,4 @@ . /usr/sbin/so-common -{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty +{{ ELASTICCURL }} -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index" From 03bfb052edad08ad15758f3ede32b5e5cfd7112e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 7 Feb 2022 19:42:24 +0000 Subject: [PATCH 29/40] Add component templates for Elasticsearch, Kibana, Logstash, Netflow, Suricata, and Zeek --- .../ecs/newcomponents/elasticsearch.json | 25 + .../component/ecs/newcomponents/kibana.json | 75 + .../component/ecs/newcomponents/logstash.json | 99 + .../component/ecs/newcomponents/netflow.json | 1423 ++++++++++ .../component/ecs/newcomponents/suricata.json | 850 ++++++ .../component/ecs/newcomponents/zeek.json | 2279 +++++++++++++++++ 6 files changed, 4751 insertions(+) create mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json create mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json create mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json create mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json create mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json create mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json new file mode 100644 index 000000000..f409ed95a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json b/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json new file mode 100644 index 000000000..d1ea67de7 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json @@ -0,0 +1,75 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "kibana": { + "properties": { + "add_to_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delete_from_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "meta": { + "type": "object" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lookup_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_object": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "space_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json b/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json new file mode 100644 index 000000000..ecfb17551 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json @@ -0,0 +1,99 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "logstash": { + "properties": { + "log": { + "properties": { + "log_event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "event": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params_object": { + "type": "object" + }, + "plugin_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "took_in_millis": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json b/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json new file mode 100644 index 000000000..10f34c3d4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json @@ -0,0 +1,1423 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "netflow": { + "properties": { + "absolute_error": { + "type": "double" + }, + "address_pool_high_threshold": { + "type": "long" + }, + "address_pool_low_threshold": { + "type": "long" + }, + "address_port_mapping_high_threshold": { + "type": "long" + }, + "address_port_mapping_low_threshold": { + "type": "long" + }, + "address_port_mapping_per_user_high_threshold": { + "type": "long" + }, + "anonymization_flags": { + "type": "long" + }, + "anonymization_technique": { + "type": "long" + }, + "application_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_id": { + "type": "short" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bgp_destination_as_number": { + "type": "long" + }, + "bgp_next_adjacent_as_number": { + "type": "long" + }, + "bgp_next_hop_ipv4_address": { + "type": "ip" + }, + "bgp_next_hop_ipv6_address": { + "type": "ip" + }, + "bgp_prev_adjacent_as_number": { + "type": "long" + }, + "bgp_source_as_number": { + "type": "long" + }, + "bgp_validity_state": { + "type": "short" + }, + "biflow_direction": { + "type": "short" + }, + "class_id": { + "type": "long" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_engine_id": { + "type": "short" + }, + "collection_time_milliseconds": { + "type": "date" + }, + "collector_certificate": { + "type": "short" + }, + "collector_ipv4_address": { + "type": "ip" + }, + "collector_ipv6_address": { + "type": "ip" + }, + "collector_transport_port": { + "type": "long" + }, + "common_properties_id": { + "type": "long" + }, + "confidence_level": { + "type": "double" + }, + "connection_sum_duration_seconds": { + "type": "long" + }, + "connection_transaction_id": { + "type": "long" + }, + "data_link_frame_section": { + "type": "short" + }, + "data_link_frame_size": { + "type": "long" + }, + "data_link_frame_type": { + "type": "long" + }, + "data_records_reliability": { + "type": "boolean" + }, + "delta_flow_count": { + "type": "long" + }, + "destination_ipv4_address": { + "type": "ip" + }, + "destination_ipv4_prefix": { + "type": "ip" + }, + "destination_ipv4_prefix_length": { + "type": "short" + }, + "destination_ipv6_address": { + "type": "ip" + }, + "destination_ipv6_prefix": { + "type": "ip" + }, + "destination_ipv6_prefix_length": { + "type": "short" + }, + "destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_transport_port": { + "type": "long" + }, + "digest_hash_value": { + "type": "long" + }, + "distinct_count_of_destination_ip_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv4_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv6_address": { + "type": "long" + }, + "distinct_count_of_source_ip_address": { + "type": "long" + }, + "distinct_count_of_source_ipv4_address": { + "type": "long" + }, + "distinct_count_of_source_ipv6_address": { + "type": "long" + }, + "dot1q_customer_dei": { + "type": "boolean" + }, + "dot1q_customer_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_priority": { + "type": "short" + }, + "dot1q_customer_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_vlan_id": { + "type": "long" + }, + "dot1q_dei": { + "type": "boolean" + }, + "dot1q_priority": { + "type": "short" + }, + "dot1q_service_instance_id": { + "type": "long" + }, + "dot1q_service_instance_priority": { + "type": "short" + }, + "dot1q_service_instance_tag": { + "type": "short" + }, + "dot1q_vlan_id": { + "type": "long" + }, + "dropped_layer2_octet_delta_count": { + "type": "long" + }, + "dropped_layer2_octet_total_count": { + "type": "long" + }, + "dropped_octet_delta_count": { + "type": "long" + }, + "dropped_octet_total_count": { + "type": "long" + }, + "dropped_packet_delta_count": { + "type": "long" + }, + "dropped_packet_total_count": { + "type": "long" + }, + "dst_traffic_index": { + "type": "long" + }, + "egress_broadcast_packet_total_count": { + "type": "long" + }, + "egress_interface": { + "type": "long" + }, + "egress_interface_type": { + "type": "long" + }, + "egress_physical_interface": { + "type": "long" + }, + "egress_unicast_packet_total_count": { + "type": "long" + }, + "egress_vrfid": { + "type": "long" + }, + "encrypted_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine_id": { + "type": "short" + }, + "engine_type": { + "type": "short" + }, + "ethernet_header_length": { + "type": "short" + }, + "ethernet_payload_length": { + "type": "long" + }, + "ethernet_total_length": { + "type": "long" + }, + "ethernet_type": { + "type": "long" + }, + "export_interface": { + "type": "long" + }, + "export_protocol_version": { + "type": "short" + }, + "export_sctp_stream_id": { + "type": "long" + }, + "export_transport_protocol": { + "type": "short" + }, + "exported_flow_record_total_count": { + "type": "long" + }, + "exported_message_total_count": { + "type": "long" + }, + "exported_octet_total_count": { + "type": "long" + }, + "exporter": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_id": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "uptime_millis": { + "type": "long" + }, + "version": { + "type": "long" + } + } + }, + "exporter_certificate": { + "type": "short" + }, + "exporter_ipv4_address": { + "type": "ip" + }, + "exporter_ipv6_address": { + "type": "ip" + }, + "exporter_transport_port": { + "type": "long" + }, + "exporting_process_id": { + "type": "long" + }, + "external_address_realm": { + "type": "short" + }, + "firewall_event": { + "type": "short" + }, + "flags_and_sampler_id": { + "type": "long" + }, + "flow_active_timeout": { + "type": "long" + }, + "flow_direction": { + "type": "short" + }, + "flow_duration_microseconds": { + "type": "long" + }, + "flow_duration_milliseconds": { + "type": "long" + }, + "flow_end_delta_microseconds": { + "type": "long" + }, + "flow_end_microseconds": { + "type": "date" + }, + "flow_end_milliseconds": { + "type": "date" + }, + "flow_end_nanoseconds": { + "type": "date" + }, + "flow_end_reason": { + "type": "short" + }, + "flow_end_seconds": { + "type": "date" + }, + "flow_end_sys_up_time": { + "type": "long" + }, + "flow_id": { + "type": "long" + }, + "flow_idle_timeout": { + "type": "long" + }, + "flow_key_indicator": { + "type": "long" + }, + "flow_label_ipv6": { + "type": "long" + }, + "flow_sampling_time_interval": { + "type": "long" + }, + "flow_sampling_time_spacing": { + "type": "long" + }, + "flow_selected_flow_delta_count": { + "type": "long" + }, + "flow_selected_octet_delta_count": { + "type": "long" + }, + "flow_selected_packet_delta_count": { + "type": "long" + }, + "flow_selector_algorithm": { + "type": "long" + }, + "flow_start_delta_microseconds": { + "type": "long" + }, + "flow_start_microseconds": { + "type": "date" + }, + "flow_start_milliseconds": { + "type": "date" + }, + "flow_start_nanoseconds": { + "type": "date" + }, + "flow_start_seconds": { + "type": "date" + }, + "flow_start_sys_up_time": { + "type": "long" + }, + "forwarding_status": { + "type": "short" + }, + "fragment_flags": { + "type": "short" + }, + "fragment_identification": { + "type": "long" + }, + "fragment_offset": { + "type": "long" + }, + "global_address_mapping_high_threshold": { + "type": "long" + }, + "gre_key": { + "type": "long" + }, + "hash_digest_output": { + "type": "boolean" + }, + "hash_flow_domain": { + "type": "long" + }, + "hash_initialiser_value": { + "type": "long" + }, + "hash_ip_payload_offset": { + "type": "long" + }, + "hash_ip_payload_size": { + "type": "long" + }, + "hash_output_range_max": { + "type": "long" + }, + "hash_output_range_min": { + "type": "long" + }, + "hash_selected_range_max": { + "type": "long" + }, + "hash_selected_range_min": { + "type": "long" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_message_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status_code": { + "type": "long" + }, + "http_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code_ipv4": { + "type": "short" + }, + "icmp_code_ipv6": { + "type": "short" + }, + "icmp_type_code_ipv4": { + "type": "long" + }, + "icmp_type_code_ipv6": { + "type": "long" + }, + "icmp_type_ipv4": { + "type": "short" + }, + "icmp_type_ipv6": { + "type": "short" + }, + "igmp_type": { + "type": "short" + }, + "ignored_data_record_total_count": { + "type": "long" + }, + "ignored_layer2_frame_total_count": { + "type": "long" + }, + "ignored_layer2_octet_total_count": { + "type": "long" + }, + "ignored_octet_total_count": { + "type": "long" + }, + "ignored_packet_total_count": { + "type": "long" + }, + "information_element_data_type": { + "type": "short" + }, + "information_element_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_id": { + "type": "long" + }, + "information_element_index": { + "type": "long" + }, + "information_element_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_range_begin": { + "type": "long" + }, + "information_element_range_end": { + "type": "long" + }, + "information_element_semantics": { + "type": "short" + }, + "information_element_units": { + "type": "long" + }, + "ingress_broadcast_packet_total_count": { + "type": "long" + }, + "ingress_interface": { + "type": "long" + }, + "ingress_interface_type": { + "type": "long" + }, + "ingress_multicast_packet_total_count": { + "type": "long" + }, + "ingress_physical_interface": { + "type": "long" + }, + "ingress_unicast_packet_total_count": { + "type": "long" + }, + "ingress_vrfid": { + "type": "long" + }, + "initiator_octets": { + "type": "long" + }, + "initiator_packets": { + "type": "long" + }, + "interface_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "intermediate_process_id": { + "type": "long" + }, + "internal_address_realm": { + "type": "short" + }, + "ip_class_of_service": { + "type": "short" + }, + "ip_diff_serv_code_point": { + "type": "short" + }, + "ip_header_length": { + "type": "short" + }, + "ip_header_packet_section": { + "type": "short" + }, + "ip_next_hop_ipv4_address": { + "type": "ip" + }, + "ip_next_hop_ipv6_address": { + "type": "ip" + }, + "ip_payload_length": { + "type": "long" + }, + "ip_payload_packet_section": { + "type": "short" + }, + "ip_precedence": { + "type": "short" + }, + "ip_sec_spi": { + "type": "long" + }, + "ip_total_length": { + "type": "long" + }, + "ip_ttl": { + "type": "short" + }, + "ip_version": { + "type": "short" + }, + "ipv4_ihl": { + "type": "short" + }, + "ipv4_options": { + "type": "long" + }, + "ipv4_router_sc": { + "type": "ip" + }, + "ipv6_extension_headers": { + "type": "long" + }, + "is_multicast": { + "type": "short" + }, + "layer2_frame_delta_count": { + "type": "long" + }, + "layer2_frame_total_count": { + "type": "long" + }, + "layer2_octet_delta_count": { + "type": "long" + }, + "layer2_octet_delta_sum_of_squares": { + "type": "long" + }, + "layer2_octet_total_count": { + "type": "long" + }, + "layer2_octet_total_sum_of_squares": { + "type": "long" + }, + "layer2_segment_id": { + "type": "long" + }, + "layer2packet_section_data": { + "type": "short" + }, + "layer2packet_section_offset": { + "type": "long" + }, + "layer2packet_section_size": { + "type": "long" + }, + "line_card_id": { + "type": "long" + }, + "lower_ci_limit": { + "type": "double" + }, + "max_bib_entries": { + "type": "long" + }, + "max_entries_per_user": { + "type": "long" + }, + "max_export_seconds": { + "type": "date" + }, + "max_flow_end_microseconds": { + "type": "date" + }, + "max_flow_end_milliseconds": { + "type": "date" + }, + "max_flow_end_nanoseconds": { + "type": "date" + }, + "max_flow_end_seconds": { + "type": "date" + }, + "max_fragments_pending_reassembly": { + "type": "long" + }, + "max_session_entries": { + "type": "long" + }, + "max_subscribers": { + "type": "long" + }, + "maximum_ip_total_length": { + "type": "long" + }, + "maximum_layer2_total_length": { + "type": "long" + }, + "maximum_ttl": { + "type": "short" + }, + "message_md5_checksum": { + "type": "short" + }, + "message_scope": { + "type": "short" + }, + "metering_process_id": { + "type": "long" + }, + "metro_evc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "metro_evc_type": { + "type": "short" + }, + "mib_capture_time_semantics": { + "type": "short" + }, + "mib_context_engine_id": { + "type": "short" + }, + "mib_context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_index_indicator": { + "type": "long" + }, + "mib_module_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_identifier": { + "type": "short" + }, + "mib_object_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_syntax": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_value_bits": { + "type": "short" + }, + "mib_object_value_counter": { + "type": "long" + }, + "mib_object_value_gauge": { + "type": "long" + }, + "mib_object_value_integer": { + "type": "long" + }, + "mib_object_value_ip_address": { + "type": "ip" + }, + "mib_object_value_octet_string": { + "type": "short" + }, + "mib_object_value_oid": { + "type": "short" + }, + "mib_object_value_time_ticks": { + "type": "long" + }, + "mib_object_value_unsigned": { + "type": "long" + }, + "mib_sub_identifier": { + "type": "long" + }, + "min_export_seconds": { + "type": "date" + }, + "min_flow_start_microseconds": { + "type": "date" + }, + "min_flow_start_milliseconds": { + "type": "date" + }, + "min_flow_start_nanoseconds": { + "type": "date" + }, + "min_flow_start_seconds": { + "type": "date" + }, + "minimum_ip_total_length": { + "type": "long" + }, + "minimum_layer2_total_length": { + "type": "long" + }, + "minimum_ttl": { + "type": "short" + }, + "mobile_imsi": { + "ignore_above": 1024, + "type": "keyword" + }, + "mobile_msisdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitoring_interval_end_milli_seconds": { + "type": "date" + }, + "monitoring_interval_start_milli_seconds": { + "type": "date" + }, + "mpls_label_stack_depth": { + "type": "long" + }, + "mpls_label_stack_length": { + "type": "long" + }, + "mpls_label_stack_section": { + "type": "short" + }, + "mpls_label_stack_section10": { + "type": "short" + }, + "mpls_label_stack_section2": { + "type": "short" + }, + "mpls_label_stack_section3": { + "type": "short" + }, + "mpls_label_stack_section4": { + "type": "short" + }, + "mpls_label_stack_section5": { + "type": "short" + }, + "mpls_label_stack_section6": { + "type": "short" + }, + "mpls_label_stack_section7": { + "type": "short" + }, + "mpls_label_stack_section8": { + "type": "short" + }, + "mpls_label_stack_section9": { + "type": "short" + }, + "mpls_payload_length": { + "type": "long" + }, + "mpls_payload_packet_section": { + "type": "short" + }, + "mpls_top_label_exp": { + "type": "short" + }, + "mpls_top_label_ipv4_address": { + "type": "ip" + }, + "mpls_top_label_ipv6_address": { + "type": "ip" + }, + "mpls_top_label_prefix_length": { + "type": "short" + }, + "mpls_top_label_stack_section": { + "type": "short" + }, + "mpls_top_label_ttl": { + "type": "short" + }, + "mpls_top_label_type": { + "type": "short" + }, + "mpls_vpn_route_distinguisher": { + "type": "short" + }, + "multicast_replication_factor": { + "type": "long" + }, + "nat_event": { + "type": "short" + }, + "nat_instance_id": { + "type": "long" + }, + "nat_originating_address_realm": { + "type": "short" + }, + "nat_pool_id": { + "type": "long" + }, + "nat_pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_quota_exceeded_event": { + "type": "long" + }, + "nat_threshold_event": { + "type": "long" + }, + "nat_type": { + "type": "short" + }, + "new_connection_delta_count": { + "type": "long" + }, + "next_header_ipv6": { + "type": "short" + }, + "not_sent_flow_total_count": { + "type": "long" + }, + "not_sent_layer2_octet_total_count": { + "type": "long" + }, + "not_sent_octet_total_count": { + "type": "long" + }, + "not_sent_packet_total_count": { + "type": "long" + }, + "observation_domain_id": { + "type": "long" + }, + "observation_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observation_point_id": { + "type": "long" + }, + "observation_point_type": { + "type": "short" + }, + "observation_time_microseconds": { + "type": "date" + }, + "observation_time_milliseconds": { + "type": "date" + }, + "observation_time_nanoseconds": { + "type": "date" + }, + "observation_time_seconds": { + "type": "date" + }, + "observed_flow_total_count": { + "type": "long" + }, + "octet_delta_count": { + "type": "long" + }, + "octet_delta_sum_of_squares": { + "type": "long" + }, + "octet_total_count": { + "type": "long" + }, + "octet_total_sum_of_squares": { + "type": "long" + }, + "opaque_octets": { + "type": "short" + }, + "original_exporter_ipv4_address": { + "type": "ip" + }, + "original_exporter_ipv6_address": { + "type": "ip" + }, + "original_flows_completed": { + "type": "long" + }, + "original_flows_initiated": { + "type": "long" + }, + "original_flows_present": { + "type": "long" + }, + "original_observation_domain_id": { + "type": "long" + }, + "p2p_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_delta_count": { + "type": "long" + }, + "packet_total_count": { + "type": "long" + }, + "padding_octets": { + "type": "short" + }, + "payload_length_ipv6": { + "type": "long" + }, + "port_id": { + "type": "long" + }, + "port_range_end": { + "type": "long" + }, + "port_range_num_ports": { + "type": "long" + }, + "port_range_start": { + "type": "long" + }, + "port_range_step_size": { + "type": "long" + }, + "post_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_dot1q_customer_vlan_id": { + "type": "long" + }, + "post_dot1q_vlan_id": { + "type": "long" + }, + "post_ip_class_of_service": { + "type": "short" + }, + "post_ip_diff_serv_code_point": { + "type": "short" + }, + "post_ip_precedence": { + "type": "short" + }, + "post_layer2_octet_delta_count": { + "type": "long" + }, + "post_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_layer2_octet_delta_count": { + "type": "long" + }, + "post_mcast_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_octet_delta_count": { + "type": "long" + }, + "post_mcast_octet_total_count": { + "type": "long" + }, + "post_mcast_packet_delta_count": { + "type": "long" + }, + "post_mcast_packet_total_count": { + "type": "long" + }, + "post_mpls_top_label_exp": { + "type": "short" + }, + "post_napt_destination_transport_port": { + "type": "long" + }, + "post_napt_source_transport_port": { + "type": "long" + }, + "post_nat_destination_ipv4_address": { + "type": "ip" + }, + "post_nat_destination_ipv6_address": { + "type": "ip" + }, + "post_nat_source_ipv4_address": { + "type": "ip" + }, + "post_nat_source_ipv6_address": { + "type": "ip" + }, + "post_octet_delta_count": { + "type": "long" + }, + "post_octet_total_count": { + "type": "long" + }, + "post_packet_delta_count": { + "type": "long" + }, + "post_packet_total_count": { + "type": "long" + }, + "post_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_vlan_id": { + "type": "long" + }, + "private_enterprise_number": { + "type": "long" + }, + "protocol_identifier": { + "type": "short" + }, + "pseudo_wire_control_word": { + "type": "long" + }, + "pseudo_wire_destination_ipv4_address": { + "type": "ip" + }, + "pseudo_wire_id": { + "type": "long" + }, + "pseudo_wire_type": { + "type": "long" + }, + "relative_error": { + "type": "double" + }, + "responder_octets": { + "type": "long" + }, + "responder_packets": { + "type": "long" + }, + "rfc3550_jitter_microseconds": { + "type": "long" + }, + "rfc3550_jitter_milliseconds": { + "type": "long" + }, + "rfc3550_jitter_nanoseconds": { + "type": "long" + }, + "rtp_sequence_number": { + "type": "long" + }, + "sampler_id": { + "type": "short" + }, + "sampler_mode": { + "type": "short" + }, + "sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sampler_random_interval": { + "type": "long" + }, + "sampling_algorithm": { + "type": "short" + }, + "sampling_flow_interval": { + "type": "long" + }, + "sampling_flow_spacing": { + "type": "long" + }, + "sampling_interval": { + "type": "long" + }, + "sampling_packet_interval": { + "type": "long" + }, + "sampling_packet_space": { + "type": "long" + }, + "sampling_population": { + "type": "long" + }, + "sampling_probability": { + "type": "double" + }, + "sampling_size": { + "type": "long" + }, + "sampling_time_interval": { + "type": "long" + }, + "sampling_time_space": { + "type": "long" + }, + "section_exported_octets": { + "type": "long" + }, + "section_offset": { + "type": "long" + }, + "selection_sequence_id": { + "type": "long" + }, + "selector_algorithm": { + "type": "long" + }, + "selector_id": { + "type": "long" + }, + "selector_id_total_flows_observed": { + "type": "long" + }, + "selector_id_total_flows_selected": { + "type": "long" + }, + "selector_id_total_pkts_observed": { + "type": "long" + }, + "selector_id_total_pkts_selected": { + "type": "long" + }, + "selector_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_scope": { + "type": "short" + }, + "source_ipv4_address": { + "type": "ip" + }, + "source_ipv4_prefix": { + "type": "ip" + }, + "source_ipv4_prefix_length": { + "type": "short" + }, + "source_ipv6_address": { + "type": "ip" + }, + "source_ipv6_prefix": { + "type": "ip" + }, + "source_ipv6_prefix_length": { + "type": "short" + }, + "source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_transport_port": { + "type": "long" + }, + "source_transport_ports_limit": { + "type": "long" + }, + "src_traffic_index": { + "type": "long" + }, + "sta_ipv4_address": { + "type": "ip" + }, + "sta_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_init_time_milliseconds": { + "type": "date" + }, + "tcp_ack_total_count": { + "type": "long" + }, + "tcp_acknowledgement_number": { + "type": "long" + }, + "tcp_control_bits": { + "type": "long" + }, + "tcp_destination_port": { + "type": "long" + }, + "tcp_fin_total_count": { + "type": "long" + }, + "tcp_header_length": { + "type": "short" + }, + "tcp_options": { + "type": "long" + }, + "tcp_psh_total_count": { + "type": "long" + }, + "tcp_rst_total_count": { + "type": "long" + }, + "tcp_sequence_number": { + "type": "long" + }, + "tcp_source_port": { + "type": "long" + }, + "tcp_syn_total_count": { + "type": "long" + }, + "tcp_urg_total_count": { + "type": "long" + }, + "tcp_urgent_pointer": { + "type": "long" + }, + "tcp_window_scale": { + "type": "long" + }, + "tcp_window_size": { + "type": "long" + }, + "template_id": { + "type": "long" + }, + "total_length_ipv4": { + "type": "long" + }, + "transport_octet_delta_count": { + "type": "long" + }, + "transport_packet_delta_count": { + "type": "long" + }, + "tunnel_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "udp_destination_port": { + "type": "long" + }, + "udp_message_length": { + "type": "long" + }, + "udp_source_port": { + "type": "long" + }, + "upper_ci_limit": { + "type": "double" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "value_distribution_method": { + "type": "short" + }, + "virtual_station_interface_id": { + "type": "short" + }, + "virtual_station_interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_uuid": { + "type": "short" + }, + "vlan_id": { + "type": "long" + }, + "vpn_identifier": { + "type": "short" + }, + "vr_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel_id": { + "type": "short" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "wtp_mac_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json b/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json new file mode 100644 index 000000000..d824294e9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json @@ -0,0 +1,850 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "suricata": { + "properties": { + "eve": { + "properties": { + "alert": { + "properties": { + "affected_product": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "capec_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "deployment": { + "ignore_above": 1024, + "type": "keyword" + }, + "former_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "type": "long" + }, + "hostile": { + "ignore_above": 1024, + "type": "keyword" + }, + "infected": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "flattened" + }, + "mitre_tool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocols": { + "ignore_above": 1024, + "type": "keyword" + }, + "rev": { + "type": "long" + }, + "rule_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "type": "long" + }, + "signature_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + } + } + }, + "app_proto_expected": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_ts": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns": { + "properties": { + "id": { + "type": "long" + }, + "rcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrname": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "tx_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileinfo": { + "properties": { + "gaps": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stored": { + "type": "boolean" + }, + "tx_id": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "age": { + "type": "long" + }, + "alerted": { + "type": "boolean" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "in_iface": { + "ignore_above": 1024, + "type": "keyword" + }, + "pcap_cnt": { + "type": "long" + }, + "smtp": { + "properties": { + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ssh": { + "properties": { + "client": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stats": { + "properties": { + "app_layer": { + "properties": { + "flow": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "failed_tcp": { + "type": "long" + }, + "failed_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "imap": { + "type": "long" + }, + "msn": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + }, + "tx": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + } + } + }, + "capture": { + "properties": { + "kernel_drops": { + "type": "long" + }, + "kernel_ifdrops": { + "type": "long" + }, + "kernel_packets": { + "type": "long" + } + } + }, + "decoder": { + "properties": { + "avg_pkt_size": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "dce": { + "properties": { + "pkt_too_small": { + "type": "long" + } + } + }, + "erspan": { + "type": "long" + }, + "ethernet": { + "type": "long" + }, + "gre": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "ieee8021ah": { + "type": "long" + }, + "invalid": { + "type": "long" + }, + "ipraw": { + "properties": { + "invalid_ip_version": { + "type": "long" + } + } + }, + "ipv4": { + "type": "long" + }, + "ipv4_in_ipv6": { + "type": "long" + }, + "ipv6": { + "type": "long" + }, + "ipv6_in_ipv6": { + "type": "long" + }, + "ltnull": { + "properties": { + "pkt_too_small": { + "type": "long" + }, + "unsupported_type": { + "type": "long" + } + } + }, + "max_pkt_size": { + "type": "long" + }, + "mpls": { + "type": "long" + }, + "null": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "ppp": { + "type": "long" + }, + "pppoe": { + "type": "long" + }, + "raw": { + "type": "long" + }, + "sctp": { + "type": "long" + }, + "sll": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "teredo": { + "type": "long" + }, + "udp": { + "type": "long" + }, + "vlan": { + "type": "long" + }, + "vlan_qinq": { + "type": "long" + } + } + }, + "defrag": { + "properties": { + "ipv4": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "max_frag_hits": { + "type": "long" + } + } + }, + "detect": { + "properties": { + "alert": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "memcap_global": { + "type": "long" + }, + "memcap_state": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "file_store": { + "properties": { + "open_files": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "emerg_mode_entered": { + "type": "long" + }, + "emerg_mode_over": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "spare": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "tcp_reuse": { + "type": "long" + }, + "udp": { + "type": "long" + } + } + }, + "flow_mgr": { + "properties": { + "bypassed_pruned": { + "type": "long" + }, + "closed_pruned": { + "type": "long" + }, + "est_pruned": { + "type": "long" + }, + "flows_checked": { + "type": "long" + }, + "flows_notimeout": { + "type": "long" + }, + "flows_removed": { + "type": "long" + }, + "flows_timeout": { + "type": "long" + }, + "flows_timeout_inuse": { + "type": "long" + }, + "new_pruned": { + "type": "long" + }, + "rows_busy": { + "type": "long" + }, + "rows_checked": { + "type": "long" + }, + "rows_empty": { + "type": "long" + }, + "rows_maxlen": { + "type": "long" + }, + "rows_skipped": { + "type": "long" + } + } + }, + "http": { + "properties": { + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "insert_data_normal_fail": { + "type": "long" + }, + "insert_data_overlap_fail": { + "type": "long" + }, + "insert_list_fail": { + "type": "long" + }, + "invalid_checksum": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "no_flow": { + "type": "long" + }, + "overlap": { + "type": "long" + }, + "overlap_diff_data": { + "type": "long" + }, + "pseudo": { + "type": "long" + }, + "pseudo_failed": { + "type": "long" + }, + "reassembly_gap": { + "type": "long" + }, + "reassembly_memuse": { + "type": "long" + }, + "rst": { + "type": "long" + }, + "segment_memcap_drop": { + "type": "long" + }, + "sessions": { + "type": "long" + }, + "ssn_memcap_drop": { + "type": "long" + }, + "stream_depth_reached": { + "type": "long" + }, + "syn": { + "type": "long" + }, + "synack": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "ack": { + "type": "boolean" + }, + "fin": { + "type": "boolean" + }, + "psh": { + "type": "boolean" + }, + "rst": { + "type": "boolean" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "syn": { + "type": "boolean" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_ts": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tls": { + "properties": { + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuerdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ja3s": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "notafter": { + "type": "date" + }, + "notbefore": { + "type": "date" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_resumed": { + "type": "boolean" + }, + "sni": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tx_id": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json b/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json new file mode 100644 index 000000000..720199001 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json @@ -0,0 +1,2279 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "zeek": { + "properties": { + "capture_loss": { + "properties": { + "acks": { + "type": "long" + }, + "gaps": { + "type": "long" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent_lost": { + "type": "double" + }, + "ts_delta": { + "type": "long" + } + } + }, + "connection": { + "properties": { + "history": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "inner_vlan": { + "type": "long" + }, + "local_orig": { + "type": "boolean" + }, + "local_resp": { + "type": "boolean" + }, + "missed_bytes": { + "type": "long" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + } + } + }, + "dce_rpc": { + "properties": { + "endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "named_pipe": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "type": "long" + } + } + }, + "dhcp": { + "properties": { + "address": { + "properties": { + "assigned": { + "type": "ip" + }, + "client": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "requested": { + "type": "ip" + }, + "server": { + "type": "ip" + } + } + }, + "client_fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "properties": { + "circuit": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscriber": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lease_time": { + "type": "long" + }, + "msg": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "type": "ip" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dnp3": { + "properties": { + "function": { + "properties": { + "reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "AA": { + "type": "boolean" + }, + "RA": { + "type": "boolean" + }, + "RD": { + "type": "boolean" + }, + "TC": { + "type": "boolean" + }, + "TTLs": { + "type": "double" + }, + "answers": { + "ignore_above": 1024, + "type": "keyword" + }, + "qclass": { + "type": "long" + }, + "qclass_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtype": { + "type": "long" + }, + "qtype_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcode": { + "type": "long" + }, + "rcode_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejected": { + "type": "boolean" + }, + "rtt": { + "type": "double" + }, + "saw_query": { + "type": "boolean" + }, + "saw_reply": { + "type": "boolean" + }, + "total_answers": { + "type": "long" + }, + "total_replies": { + "type": "long" + }, + "trans_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dpd": { + "properties": { + "analyzer": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_segment": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "files": { + "properties": { + "analyzers": { + "ignore_above": 1024, + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "type": "double" + }, + "entropy": { + "type": "double" + }, + "extracted": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_cutoff": { + "type": "boolean" + }, + "extracted_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "local_orig": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rx_host": { + "type": "ip" + }, + "seen_bytes": { + "type": "long" + }, + "session_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "timedout": { + "type": "boolean" + }, + "total_bytes": { + "type": "long" + }, + "tx_host": { + "type": "ip" + } + } + }, + "ftp": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "capture_password": { + "type": "boolean" + }, + "cmdarg": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "type": "long" + } + } + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_channel": { + "properties": { + "originating_host": { + "type": "ip" + }, + "passive": { + "type": "boolean" + }, + "response_host": { + "type": "ip" + }, + "response_port": { + "type": "long" + } + } + }, + "file": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "last_auth_requested": { + "ignore_above": 1024, + "type": "keyword" + }, + "passive": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "pending_commands": { + "type": "long" + }, + "reply": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http": { + "properties": { + "captured_password": { + "type": "boolean" + }, + "client_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "info_code": { + "type": "long" + }, + "info_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_mime_depth": { + "type": "long" + }, + "orig_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxied": { + "ignore_above": 1024, + "type": "keyword" + }, + "range_request": { + "type": "boolean" + }, + "resp_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_mime_depth": { + "type": "long" + }, + "resp_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_depth": { + "type": "long" + } + } + }, + "intel": { + "properties": { + "file_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen": { + "properties": { + "conn": { + "ignore_above": 1024, + "type": "keyword" + }, + "f": { + "type": "object" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "where": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sources": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "irc": { + "properties": { + "addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "dcc": { + "properties": { + "file": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "nick": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kerberos": { + "properties": { + "cert": { + "properties": { + "client": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "forwardable": { + "type": "boolean" + }, + "renewable": { + "type": "boolean" + }, + "request_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + }, + "ticket": { + "properties": { + "auth": { + "ignore_above": 1024, + "type": "keyword" + }, + "new": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "days": { + "type": "long" + }, + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + } + } + }, + "modbus": { + "properties": { + "exception": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "track_address": { + "type": "long" + } + } + }, + "mysql": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "notice": { + "properties": { + "actions": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped": { + "type": "boolean" + }, + "email_body_sections": { + "norms": false, + "type": "text" + }, + "email_delay_tokens": { + "ignore_above": 1024, + "type": "keyword" + }, + "false": { + "type": "long" + }, + "ffile": { + "properties": { + "total_bytes": { + "type": "long" + } + } + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen_bytes": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_descr": { + "norms": false, + "type": "text" + }, + "peer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppress_for": { + "type": "double" + } + } + }, + "ntlm": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "properties": { + "name": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "netbios": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "success": { + "type": "boolean" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ntp": { + "properties": { + "mode": { + "type": "long" + }, + "num_exts": { + "type": "long" + }, + "org_time": { + "type": "date" + }, + "poll": { + "type": "double" + }, + "precision": { + "type": "double" + }, + "rec_time": { + "type": "date" + }, + "ref_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ref_time": { + "type": "date" + }, + "root_delay": { + "type": "double" + }, + "root_disp": { + "type": "double" + }, + "stratum": { + "type": "long" + }, + "version": { + "type": "long" + }, + "xmt_time": { + "type": "date" + } + } + }, + "ocsp": { + "properties": { + "file_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "revoke": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "update": { + "properties": { + "next": { + "type": "date" + }, + "this": { + "type": "date" + } + } + } + } + }, + "pe": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_time": { + "type": "date" + }, + "has_cert_table": { + "type": "boolean" + }, + "has_debug_data": { + "type": "boolean" + }, + "has_export_table": { + "type": "boolean" + }, + "has_import_table": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_64bit": { + "type": "boolean" + }, + "is_exe": { + "type": "boolean" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "section_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "uses_aslr": { + "type": "boolean" + }, + "uses_code_integrity": { + "type": "boolean" + }, + "uses_dep": { + "type": "boolean" + }, + "uses_seh": { + "type": "boolean" + } + } + }, + "radius": { + "properties": { + "connect_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "framed_addr": { + "type": "ip" + }, + "logged": { + "type": "boolean" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "reply_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rdp": { + "properties": { + "cert": { + "properties": { + "count": { + "type": "long" + }, + "permanent": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "desktop": { + "properties": { + "color_depth": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "width": { + "type": "long" + } + } + }, + "done": { + "type": "boolean" + }, + "encryption": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "keyboard_layout": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl": { + "type": "boolean" + } + } + }, + "rfb": { + "properties": { + "auth": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + } + } + }, + "desktop_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "share_flag": { + "type": "boolean" + }, + "version": { + "properties": { + "client": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "width": { + "type": "long" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "properties": { + "event_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_count": { + "type": "long" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_count": { + "type": "long" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sip": { + "properties": { + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "warning": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_cmd": { + "properties": { + "argument": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "rx": { + "type": "ip" + }, + "tx": { + "type": "ip" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rtt": { + "type": "double" + }, + "smb1_offered_dialects": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb2_offered_dialects": { + "type": "long" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_command": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_files": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "fid": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "times": { + "properties": { + "accessed": { + "type": "date" + }, + "changed": { + "type": "date" + }, + "created": { + "type": "date" + }, + "modified": { + "type": "date" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_mapping": { + "properties": { + "native_file_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "share_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smtp": { + "properties": { + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "first_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "has_client_activity": { + "type": "boolean" + }, + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_webmail": { + "type": "boolean" + }, + "last_reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "ip" + }, + "process_received_from": { + "type": "boolean" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls": { + "type": "boolean" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "x_originating_ip": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "snmp": { + "properties": { + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "get": { + "properties": { + "bulk_requests": { + "type": "long" + }, + "requests": { + "type": "long" + }, + "responses": { + "type": "long" + } + } + }, + "set": { + "properties": { + "requests": { + "type": "long" + } + } + }, + "up_since": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "socks": { + "properties": { + "bound": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "capture_password": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssh": { + "properties": { + "algorithm": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "compression": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "key_exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auth": { + "properties": { + "attempts": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "last_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "validation": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stats": { + "properties": { + "bytes": { + "properties": { + "received": { + "type": "long" + } + } + }, + "connections": { + "properties": { + "icmp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "udp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + } + } + }, + "dns_requests": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "events": { + "properties": { + "processed": { + "type": "long" + }, + "queued": { + "type": "long" + } + } + }, + "files": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "memory": { + "type": "long" + }, + "packets": { + "properties": { + "dropped": { + "type": "long" + }, + "processed": { + "type": "long" + }, + "received": { + "type": "long" + } + } + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "reassembly_size": { + "properties": { + "file": { + "type": "long" + }, + "frag": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "unknown": { + "type": "long" + } + } + }, + "timers": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "timestamp_lag": { + "type": "long" + } + } + }, + "syslog": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tunnel": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "weird": { + "properties": { + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice": { + "type": "boolean" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "basic_constraints": { + "properties": { + "certificate_authority": { + "type": "boolean" + }, + "path_length": { + "type": "long" + } + } + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "exponent": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "key": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + }, + "version": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_cert": { + "type": "boolean" + }, + "san": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "other_fields": { + "type": "boolean" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} From 1366e5288e554ddef46219b87e407e87bb14fa86 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 7 Feb 2022 19:54:23 +0000 Subject: [PATCH 30/40] Add mappings references for new component templates to index templates --- .../templates/index/so/so-elasticsearch-template.json.jinja | 1 + salt/elasticsearch/templates/index/so/so-ids-template.json.jinja | 1 + .../templates/index/so/so-kibana-template.json.jinja | 1 + .../templates/index/so/so-logstash-template.json.jinja | 1 + .../templates/index/so/so-netflow-template.json.jinja | 1 + .../elasticsearch/templates/index/so/so-zeek-template.json.jinja | 1 + 6 files changed, 6 insertions(+) diff --git a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja index ce6864398..62c9e1597 100644 --- a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja @@ -55,6 +55,7 @@ "dtc-dns-mappings", "ecs-mappings", "dtc-ecs-mappings", + "elasticsearch-mappings", "error-mappings", "event-mappings", "dtc-event-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja index 44c56645e..400567e3e 100644 --- a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja @@ -83,6 +83,7 @@ "service-mappings", "dtc-service-mappings", "source-mappings", + "suricata-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja index 446b0f715..670c934eb 100644 --- a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja @@ -65,6 +65,7 @@ "dtc-host-mappings", "http-mappings", "dtc-http-mappings", + "kibana-mappings", "log-mappings", "network-mappings", "dtc-network-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja index 983840f93..b9744a01e 100644 --- a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja @@ -66,6 +66,7 @@ "http-mappings", "dtc-http-mappings", "log-mappings", + "logstash-mappings", "network-mappings", "dtc-network-mappings", "observer-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja index 470e86977..e7d09abb7 100644 --- a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja @@ -66,6 +66,7 @@ "http-mappings", "dtc-http-mappings", "log-mappings", + "netflow-mappings", "network-mappings", "dtc-network-mappings", "observer-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja index a7a354936..35f842a9c 100644 --- a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja @@ -92,6 +92,7 @@ "user-mappings", "dtc-user-mappings", "vulnerability-mappings", + "zeek-mappings", "common-settings", "common-dynamic-mappings" ], From 5090854d4de8d66b488cfb2943716fbb1abc05c5 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 03:03:55 +0000 Subject: [PATCH 31/40] Add additional component templates and index template references --- .../templates/component/ecs/aws.json | 570 ++++++ .../templates/component/ecs/azure.json | 604 ++++++ .../templates/component/ecs/cef.json | 772 ++++++++ .../templates/component/ecs/checkpoint.json | 1615 ++++++++++++++++ .../templates/component/ecs/cisco.json | 620 +++++++ .../templates/component/ecs/cyberark.json | 305 +++ .../templates/component/ecs/fortinet.json | 1627 +++++++++++++++++ .../templates/component/ecs/gcp.json | 267 +++ .../component/ecs/google_workspace.json | 750 ++++++++ .../templates/component/ecs/juniper.json | 378 ++++ .../templates/component/ecs/microsoft.json | 265 +++ .../templates/component/ecs/misp.json | 425 +++++ .../templates/component/ecs/o365.json | 445 +++++ .../templates/component/ecs/okta.json | 293 +++ .../templates/component/ecs/redis.json | 50 + .../templates/component/ecs/snyk.json | 147 ++ .../templates/component/ecs/sophos.json | 722 ++++++++ .../templates/component/ecs/syslog.json | 30 + .../index/so/so-aws-template.json.jinja | 1 + .../index/so/so-azure-template.json.jinja | 1 + .../index/so/so-cef-template.json.jinja | 1 + .../so/so-checkpoint-template.json.jinja | 1 + .../index/so/so-cisco-template.json.jinja | 1 + .../index/so/so-cyberark-template.json.jinja | 1 + .../index/so/so-fortinet-template.json.jinja | 1 + .../index/so/so-gcp-template.json.jinja | 1 + .../so-google_workspace-template.json.jinja | 1 + .../index/so/so-juniper-template.json.jinja | 1 + .../index/so/so-microsoft-template.json.jinja | 1 + .../index/so/so-misp-template.json.jinja | 1 + .../index/so/so-o365-template.json.jinja | 1 + .../index/so/so-okta-template.json.jinja | 1 + .../index/so/so-redis-template.json.jinja | 1 + .../index/so/so-snyk-template.json.jinja | 1 + .../index/so/so-sophos-template.json.jinja | 1 + .../index/so/so-syslog-template.json.jinja | 1 + 36 files changed, 9903 insertions(+) create mode 100644 salt/elasticsearch/templates/component/ecs/aws.json create mode 100644 salt/elasticsearch/templates/component/ecs/azure.json create mode 100644 salt/elasticsearch/templates/component/ecs/cef.json create mode 100644 salt/elasticsearch/templates/component/ecs/checkpoint.json create mode 100644 salt/elasticsearch/templates/component/ecs/cisco.json create mode 100644 salt/elasticsearch/templates/component/ecs/cyberark.json create mode 100644 salt/elasticsearch/templates/component/ecs/fortinet.json create mode 100644 salt/elasticsearch/templates/component/ecs/gcp.json create mode 100644 salt/elasticsearch/templates/component/ecs/google_workspace.json create mode 100644 salt/elasticsearch/templates/component/ecs/juniper.json create mode 100644 salt/elasticsearch/templates/component/ecs/microsoft.json create mode 100644 salt/elasticsearch/templates/component/ecs/misp.json create mode 100644 salt/elasticsearch/templates/component/ecs/o365.json create mode 100644 salt/elasticsearch/templates/component/ecs/okta.json create mode 100644 salt/elasticsearch/templates/component/ecs/redis.json create mode 100644 salt/elasticsearch/templates/component/ecs/snyk.json create mode 100644 salt/elasticsearch/templates/component/ecs/sophos.json create mode 100644 salt/elasticsearch/templates/component/ecs/syslog.json diff --git a/salt/elasticsearch/templates/component/ecs/aws.json b/salt/elasticsearch/templates/component/ecs/aws.json new file mode 100644 index 000000000..ccea31e27 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/aws.json @@ -0,0 +1,570 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "aws": { + "properties": { + "cloudtrail": { + "properties": { + "additional_eventdata": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "console_login": { + "properties": { + "additional_eventdata": { + "properties": { + "login_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mfa_used": { + "type": "boolean" + }, + "mobile_version": { + "type": "boolean" + } + } + } + } + }, + "digest": { + "properties": { + "end_time": { + "type": "date" + }, + "log_files": { + "type": "nested" + }, + "newest_event_time": { + "type": "date" + }, + "oldest_event_time": { + "type": "date" + }, + "previous_hash_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "s3_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + } + } + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "flattened": { + "properties": { + "additional_eventdata": { + "type": "flattened" + }, + "request_parameters": { + "type": "flattened" + }, + "response_elements": { + "type": "flattened" + }, + "service_event_details": { + "type": "flattened" + } + } + }, + "insight_details": { + "type": "flattened" + }, + "management_event": { + "ignore_above": 1024, + "type": "keyword" + }, + "read_only": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_parameters": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response_elements": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "service_event_details": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "shared_event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_identity": { + "properties": { + "access_key_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "invoked_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_context": { + "properties": { + "creation_date": { + "type": "date" + }, + "mfa_authenticated": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_issuer": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc_endpoint_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloudwatch": { + "properties": { + "message": { + "norms": false, + "type": "text" + } + } + }, + "ec2": { + "properties": { + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elb": { + "properties": { + "action_executed": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend": { + "properties": { + "http": { + "properties": { + "response": { + "properties": { + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "backend_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "chosen_cert": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "error": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incoming_tls_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "listener": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "response_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "ssl_cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_group": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_handshake_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "tls_named_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "s3access": { + "properties": { + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket_owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_sent": { + "type": "long" + }, + "cipher_suite": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_header": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_size": { + "type": "long" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "requester": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_time": { + "type": "long" + }, + "turn_around_time": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpcflow": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "pkt_dstaddr": { + "type": "ip" + }, + "pkt_srcaddr": { + "type": "ip" + }, + "subnet_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_array": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/azure.json b/salt/elasticsearch/templates/component/ecs/azure.json new file mode 100644 index 000000000..5e1acaae5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/azure.json @@ -0,0 +1,604 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "azure": { + "properties": { + "activitylogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "properties": { + "authorization": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_definition_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "claims": { + "properties": { + "*": { + "type": "object" + } + } + }, + "claims_initiated_by_user": { + "properties": { + "fullname": { + "ignore_above": 1024, + "type": "keyword" + }, + "givenname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "schema": { + "ignore_above": 1024, + "type": "keyword" + }, + "surname": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "type": "flattened" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auditlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "activity_datetime": { + "type": "date" + }, + "activity_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "properties": { + "app": { + "properties": { + "appId": { + "ignore_above": 1024, + "type": "keyword" + }, + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "logged_by_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_resources": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_properties": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "consumer_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "enqueued_time": { + "type": "date" + }, + "eventhub": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "partition_id": { + "type": "long" + }, + "platformlogs": { + "properties": { + "ActivityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Caller": { + "ignore_above": 1024, + "type": "keyword" + }, + "Cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "Environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventTimeString": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScaleUnit": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ccpNamespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "type": "flattened" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "authorization_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence_number": { + "type": "long" + }, + "signinlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "app_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_processing_details": { + "type": "flattened" + }, + "authentication_requirement": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_requirement_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "autonomous_system_number": { + "type": "long" + }, + "client_app_used": { + "ignore_above": 1024, + "type": "keyword" + }, + "conditional_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cross_tenant_access_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_detail": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operating_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "trust_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flagged_for_review": { + "type": "boolean" + }, + "home_tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_interactive": { + "type": "boolean" + }, + "is_tenant_restricted": { + "type": "boolean" + }, + "original_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "processing_time_ms": { + "type": "float" + }, + "resource_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_event_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_event_types_v2": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_aggregated": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_during_signin": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sso_extension_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "error_code": { + "type": "long" + } + } + }, + "token_issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "token_issuer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subscription_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/cef.json b/salt/elasticsearch/templates/component/ecs/cef.json new file mode 100644 index 000000000..376fbf26a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cef.json @@ -0,0 +1,772 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cef": { + "properties": { + "device": { + "properties": { + "event_class_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extensions": { + "properties": { + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentAddress": { + "type": "ip" + }, + "agentDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentReceiptTime": { + "type": "date" + }, + "agentTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedAddress": { + "type": "ip" + }, + "agentTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentType": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "applicationProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "baseEventCount": { + "type": "long" + }, + "bytesIn": { + "type": "long" + }, + "bytesOut": { + "type": "long" + }, + "categoryBehavior": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceGroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryObject": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "categorySignificance": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryTechnique": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationAddress": { + "type": "ip" + }, + "destinationDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationGeoLatitude": { + "type": "double" + }, + "destinationGeoLongitude": { + "type": "double" + }, + "destinationHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationPort": { + "type": "long" + }, + "destinationProcessId": { + "type": "long" + }, + "destinationProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedAddress": { + "type": "ip" + }, + "destinationTranslatedPort": { + "type": "long" + }, + "destinationTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAddress": { + "type": "ip" + }, + "deviceCustomDate1": { + "type": "date" + }, + "deviceCustomDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomDate2": { + "type": "date" + }, + "deviceCustomDate2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint1": { + "type": "double" + }, + "deviceCustomFloatingPoint1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint2": { + "type": "double" + }, + "deviceCustomFloatingPoint2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint3": { + "type": "double" + }, + "deviceCustomFloatingPoint3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint4": { + "type": "double" + }, + "deviceCustomFloatingPoint4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address1": { + "type": "ip" + }, + "deviceCustomIPv6Address1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address2": { + "type": "ip" + }, + "deviceCustomIPv6Address2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address3": { + "type": "ip" + }, + "deviceCustomIPv6Address3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address4": { + "type": "ip" + }, + "deviceCustomIPv6Address4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber1": { + "type": "long" + }, + "deviceCustomNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber2": { + "type": "long" + }, + "deviceCustomNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber3": { + "type": "long" + }, + "deviceCustomNumber3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceDirection": { + "type": "long" + }, + "deviceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceEventCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceExternalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFacility": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber1": { + "type": "long" + }, + "deviceFlexNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber2": { + "type": "long" + }, + "deviceFlexNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceInboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceOutboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "devicePayloadId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceProcessId": { + "type": "long" + }, + "deviceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceReceiptTime": { + "type": "date" + }, + "deviceTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedAddress": { + "type": "ip" + }, + "deviceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "endTime": { + "type": "date" + }, + "eventId": { + "type": "long" + }, + "eventOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "externalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileCreateTime": { + "type": "date" + }, + "fileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileModificationTime": { + "type": "date" + }, + "filePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileSize": { + "type": "long" + }, + "fileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexDate1": { + "type": "date" + }, + "flexDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "ifname": { + "ignore_above": 1024, + "type": "keyword" + }, + "inzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "loguid": { + "ignore_above": 1024, + "type": "keyword" + }, + "managerReceiptTime": { + "type": "date" + }, + "match_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileCreateTime": { + "type": "date" + }, + "oldFileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileModificationTime": { + "type": "date" + }, + "oldFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileSize": { + "type": "long" + }, + "oldFileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "ignore_above": 1024, + "type": "keyword" + }, + "originsicname": { + "ignore_above": 1024, + "type": "keyword" + }, + "outzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawEvent": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestClientApplication": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestContext": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestCookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestMethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequencenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceAddress": { + "type": "ip" + }, + "sourceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceGeoLatitude": { + "type": "double" + }, + "sourceGeoLongitude": { + "type": "double" + }, + "sourceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourcePort": { + "type": "long" + }, + "sourceProcessId": { + "type": "long" + }, + "sourceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedAddress": { + "type": "ip" + }, + "sourceTranslatedPort": { + "type": "long" + }, + "sourceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "transportProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "type": "long" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/checkpoint.json b/salt/elasticsearch/templates/component/ecs/checkpoint.json new file mode 100644 index 000000000..bb2f8f6de --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/checkpoint.json @@ -0,0 +1,1615 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "checkpoint": { + "properties": { + "action_reason": { + "type": "long" + }, + "action_reason_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocated_ports": { + "type": "long" + }, + "analyzed_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "answer_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "anti_virus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "type": "long" + }, + "app_package": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_repackaged": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sid_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "appi_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "arrival_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "attachments_num": { + "type": "long" + }, + "attack_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "authority_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "authorization": { + "ignore_above": 1024, + "type": "keyword" + }, + "bcc": { + "ignore_above": 1024, + "type": "keyword" + }, + "blade_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "broker_publisher": { + "type": "ip" + }, + "browse_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "c_bytes": { + "type": "long" + }, + "calc_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "capacity": { + "type": "long" + }, + "capture_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "cgnet": { + "ignore_above": 1024, + "type": "keyword" + }, + "chunk_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence_level": { + "type": "long" + }, + "connection_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "conns_amount": { + "type": "long" + }, + "content_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_risk": { + "type": "long" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_num": { + "type": "long" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieI": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieR": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_message": { + "type": "long" + }, + "cvpn_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvpn_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce-rpc_interface_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "detected_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "developer_certificate_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "diameter_app_ID": { + "type": "long" + }, + "diameter_cmd_code": { + "type": "long" + }, + "diameter_msg_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_action_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_additional_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_files_number": { + "type": "long" + }, + "dlp_fingerprint_long_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_short_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_recipients": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_related_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_relevant_data_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_directories_number": { + "type": "long" + }, + "dlp_repository_files_number": { + "type": "long" + }, + "dlp_repository_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_not_scanned_directories_percentage": { + "type": "long" + }, + "dlp_repository_reached_directories_number": { + "type": "long" + }, + "dlp_repository_root_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_scan_progress": { + "type": "long" + }, + "dlp_repository_scanned_directories_number": { + "type": "long" + }, + "dlp_repository_scanned_files_number": { + "type": "long" + }, + "dlp_repository_scanned_total_size": { + "type": "long" + }, + "dlp_repository_skipped_files_number": { + "type": "long" + }, + "dlp_repository_total_size": { + "type": "long" + }, + "dlp_repository_unreachable_directories_number": { + "type": "long" + }, + "dlp_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_template_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_transint": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_violation_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_watermark_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_word_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "drop_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_incoming": { + "type": "long" + }, + "dropped_outgoing": { + "type": "long" + }, + "dropped_total": { + "type": "long" + }, + "drops_amount": { + "type": "long" + }, + "dst_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstkeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duplicate": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control_analysis": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_recipients_num": { + "type": "long" + }, + "email_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spam_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "emulated_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "encryption_failure": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_user_firewall_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_associated_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_noncompliance_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_scan_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_count": { + "type": "long" + }, + "expire_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_hit_time": { + "type": "long" + }, + "frequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "fs-proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_subproduct": { + "ignore_above": 1024, + "type": "keyword" + }, + "hide_ip": { + "type": "ip" + }, + "hit": { + "type": "long" + }, + "host_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_location": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_more_info": { + "type": "long" + }, + "icap_server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_server_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_service_id": { + "type": "long" + }, + "icmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "id": { + "type": "long" + }, + "identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "impacted_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "info": { + "ignore_above": 1024, + "type": "keyword" + }, + "information": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_item": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_settings_log": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed_products": { + "ignore_above": 1024, + "type": "keyword" + }, + "int_end": { + "type": "long" + }, + "int_start": { + "type": "long" + }, + "integrity_av_invoke_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "internal_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalid_file_size": { + "type": "long" + }, + "ip_option": { + "type": "long" + }, + "isp_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_hit_time": { + "type": "long" + }, + "last_rematch_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit_applied": { + "type": "long" + }, + "limit_requested": { + "type": "long" + }, + "link_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "links_num": { + "type": "long" + }, + "log_delay": { + "type": "long" + }, + "log_id": { + "type": "long" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "long_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_family": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_fk": { + "type": "long" + }, + "match_id": { + "type": "long" + }, + "matched_file": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_file_percentage": { + "type": "long" + }, + "matched_file_text_segments": { + "type": "long" + }, + "media_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_size": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "methods": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mirror_and_decrypt_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_collection": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_command_and_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_credential_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_defense_evasion": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_discovery": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_exfiltration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_initial_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_lateral_movement": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_persistence": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_privilege_escalation": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat46": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "type": "long" + }, + "nat_exhausted_pool": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "type": "long" + }, + "needs_browse_time": { + "type": "long" + }, + "next_hop_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_scheduled_scan_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "number_of_errors": { + "type": "long" + }, + "objecttable": { + "ignore_above": 1024, + "type": "keyword" + }, + "objecttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_comment": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_sic_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_amount": { + "type": "long" + }, + "packet_capture_unique_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "type": "long" + }, + "peer_gateway": { + "type": "ip" + }, + "peer_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_ip_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "type": "long" + }, + "policy_mgmt": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ports_usage": { + "type": "long" + }, + "ppp": { + "ignore_above": 1024, + "type": "keyword" + }, + "precise_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_machine_name": { + "type": "long" + }, + "proxy_src_ip": { + "type": "ip" + }, + "proxy_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "question_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_parent_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_self_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_ip-phones": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rematch_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediated_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_status": { + "type": "long" + }, + "risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "rpc_prog": { + "type": "long" + }, + "rule": { + "type": "long" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rulebase_id": { + "type": "long" + }, + "scan_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_hosts_day": { + "type": "long" + }, + "scan_hosts_hour": { + "type": "long" + }, + "scan_hosts_week": { + "type": "long" + }, + "scan_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_mail": { + "type": "long" + }, + "scan_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_results": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_download_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_total_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrubbed_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_association_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "securexl_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_communication": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_hashes": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "similiar_iocs": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "special_properties": { + "type": "long" + }, + "specific_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "spyware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "srckeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subs_exp": { + "type": "date" + }, + "subscriber": { + "type": "ip" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppressed_logs": { + "type": "long" + }, + "sync": { + "ignore_above": 1024, + "type": "keyword" + }, + "sys_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_end_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_packet_out_of_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "te_verdict_determined_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ticket_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_server_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_archive_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_attachments": { + "type": "long" + }, + "triggered_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_detected_day": { + "type": "long" + }, + "unique_detected_hour": { + "type": "long" + }, + "unique_detected_week": { + "type": "long" + }, + "update_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "via": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_action_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_sz": { + "type": "long" + }, + "voip_call_dir": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_term_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_config": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_est_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_exp": { + "type": "long" + }, + "voip_from_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_ipp": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reason_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reg_int": { + "type": "long" + }, + "voip_reg_ipp": { + "type": "long" + }, + "voip_reg_period": { + "type": "long" + }, + "voip_reg_server": { + "type": "ip" + }, + "voip_reg_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reject_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_to_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn_feature_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "watermark": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_server_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "word_list": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/cisco.json b/salt/elasticsearch/templates/component/ecs/cisco.json new file mode 100644 index 000000000..3800b79fc --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cisco.json @@ -0,0 +1,620 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cisco": { + "properties": { + "amp": { + "properties": { + "bp_data": { + "type": "flattened" + }, + "cloud_ioc": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_description": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "properties": { + "arguments": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "computer": { + "properties": { + "active": { + "type": "boolean" + }, + "connector_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_ip": { + "type": "ip" + }, + "network_addresses": { + "type": "flattened" + } + } + }, + "connector_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "detection": { + "ignore_above": 1024, + "type": "keyword" + }, + "detection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "archived_file": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "attack_details": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "attacked_module": { + "ignore_above": 1024, + "type": "keyword" + }, + "base_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicators": { + "type": "flattened" + }, + "suspicious_files": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group_guids": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_tactics": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_techniques": { + "ignore_above": 1024, + "type": "keyword" + }, + "network_info": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "nfm": { + "properties": { + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "parent": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "identify": { + "properties": { + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "related": { + "properties": { + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "clean": { + "type": "boolean" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "malicious_detections": { + "type": "long" + }, + "scanned_files": { + "type": "long" + }, + "scanned_paths": { + "type": "long" + }, + "scanned_processes": { + "type": "long" + } + } + }, + "tactics": { + "type": "flattened" + }, + "techniques": { + "type": "flattened" + }, + "threat_hunting": { + "properties": { + "incident_end_time": { + "type": "date" + }, + "incident_hunt_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_report_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_start_time": { + "type": "date" + }, + "incident_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactics": { + "type": "flattened" + }, + "techniques": { + "type": "flattened" + } + } + }, + "timestamp_nanoseconds": { + "type": "date" + }, + "vulnerabilities": { + "type": "flattened" + } + } + }, + "asa": { + "properties": { + "assigned_ip": { + "type": "ip" + }, + "burst": { + "properties": { + "avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "cumulative_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "current_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line_arguments": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "privilege": { + "properties": { + "new": { + "ignore_above": 1024, + "type": "keyword" + }, + "old": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnel_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "webvpn": { + "properties": { + "group_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ftd": { + "properties": { + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "type": "object" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "webvpn": { + "properties": { + "group_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ios": { + "properties": { + "access_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "umbrella": { + "properties": { + "amp_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_malware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_detections": { + "ignore_above": 1024, + "type": "keyword" + }, + "blocked_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "datacenter": { + "ignore_above": 1024, + "type": "keyword" + }, + "identities": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "puas": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha_sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/cyberark.json b/salt/elasticsearch/templates/component/ecs/cyberark.json new file mode 100644 index 000000000..20e90f6ea --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cyberark.json @@ -0,0 +1,305 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cyberarkpas": { + "properties": { + "audit": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "ca_properties": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_disabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_error_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "customer": { + "ignore_above": 1024, + "type": "keyword" + }, + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dual_account_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_process": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_fail_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_change": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_reconciliation": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_verification": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_task": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "other": { + "type": "flattened" + }, + "policy_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + }, + "privcloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "reset_immediately": { + "ignore_above": 1024, + "type": "keyword" + }, + "retries_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "extra_details": { + "properties": { + "ad_process_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ad_process_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_component_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "other": { + "type": "flattened" + }, + "process_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "psmid": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway_station": { + "type": "ip" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "iso_timestamp": { + "type": "date" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "doc_values": false, + "ignore_above": 4096, + "index": false, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "pvwa_details": { + "type": "flattened" + }, + "raw": { + "doc_values": false, + "ignore_above": 4096, + "index": false, + "type": "keyword" + }, + "reason": { + "norms": false, + "type": "text" + }, + "rfc5424": { + "type": "boolean" + }, + "safe": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "station": { + "type": "ip" + }, + "target_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/fortinet.json b/salt/elasticsearch/templates/component/ecs/fortinet.json new file mode 100644 index 000000000..1f9b7496d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/fortinet.json @@ -0,0 +1,1627 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "fortinet": { + "properties": { + "file": { + "properties": { + "hash": { + "properties": { + "crc32": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "acct_stat": { + "ignore_above": 1024, + "type": "keyword" + }, + "acktime": { + "ignore_above": 1024, + "type": "keyword" + }, + "act": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "type": "ip" + }, + "addr_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "addrgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "adgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "admin": { + "ignore_above": 1024, + "type": "keyword" + }, + "age": { + "type": "long" + }, + "agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarmid": { + "type": "long" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticscksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticssubmit": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "appact": { + "ignore_above": 1024, + "type": "keyword" + }, + "appid": { + "type": "long" + }, + "applist": { + "ignore_above": 1024, + "type": "keyword" + }, + "apprisk": { + "ignore_above": 1024, + "type": "keyword" + }, + "apscan": { + "ignore_above": 1024, + "type": "keyword" + }, + "apsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "apstatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "aptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "assigned": { + "type": "ip" + }, + "assignip": { + "type": "ip" + }, + "attachment": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontext": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontextid": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackid": { + "type": "long" + }, + "auditid": { + "type": "long" + }, + "auditscore": { + "ignore_above": 1024, + "type": "keyword" + }, + "audittime": { + "type": "long" + }, + "authgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "authid": { + "ignore_above": 1024, + "type": "keyword" + }, + "authproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "authserver": { + "ignore_above": 1024, + "type": "keyword" + }, + "bandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "banword": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetip": { + "type": "ip" + }, + "bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "carrier_ep": { + "ignore_above": 1024, + "type": "keyword" + }, + "cat": { + "type": "long" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "cdrcontent": { + "ignore_above": 1024, + "type": "keyword" + }, + "centralnatid": { + "type": "long" + }, + "cert": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "certhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgattr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgobj": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgpath": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtxpower": { + "type": "long" + }, + "channel": { + "type": "long" + }, + "channeltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "chassisid": { + "type": "long" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "chgheaders": { + "ignore_above": 1024, + "type": "keyword" + }, + "cldobjid": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "clouduser": { + "ignore_above": 1024, + "type": "keyword" + }, + "column": { + "type": "long" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "configcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "conserve": { + "ignore_above": 1024, + "type": "keyword" + }, + "constraint": { + "ignore_above": 1024, + "type": "keyword" + }, + "contentdisarmed": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "countapp": { + "type": "long" + }, + "countav": { + "type": "long" + }, + "countcifs": { + "type": "long" + }, + "countdlp": { + "type": "long" + }, + "countdns": { + "type": "long" + }, + "countemail": { + "type": "long" + }, + "countff": { + "type": "long" + }, + "countips": { + "type": "long" + }, + "countssh": { + "type": "long" + }, + "countssl": { + "type": "long" + }, + "countwaf": { + "type": "long" + }, + "countweb": { + "type": "long" + }, + "cpu": { + "type": "long" + }, + "craction": { + "type": "long" + }, + "criticalcount": { + "type": "long" + }, + "crl": { + "ignore_above": 1024, + "type": "keyword" + }, + "crlevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "crscore": { + "type": "long" + }, + "cveid": { + "ignore_above": 1024, + "type": "keyword" + }, + "daemon": { + "ignore_above": 1024, + "type": "keyword" + }, + "datarange": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "ddnsserver": { + "type": "ip" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "detectionmethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "devcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "devintfname": { + "ignore_above": 1024, + "type": "keyword" + }, + "devtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "dintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "ignore_above": 1024, + "type": "keyword" + }, + "disklograte": { + "type": "long" + }, + "dlpextra": { + "ignore_above": 1024, + "type": "keyword" + }, + "docsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlauthstate": { + "type": "long" + }, + "domainctrlauthtype": { + "type": "long" + }, + "domainctrldomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlip": { + "type": "ip" + }, + "domainctrlname": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlprotocoltype": { + "type": "long" + }, + "domainctrlusername": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainfilteridx": { + "type": "long" + }, + "domainfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "ds": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstserver": { + "type": "long" + }, + "dstssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstunauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eapolcnt": { + "type": "long" + }, + "eapoltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "encrypt": { + "type": "long" + }, + "encryption": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch": { + "type": "long" + }, + "espauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "esptransform": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "exch": { + "ignore_above": 1024, + "type": "keyword" + }, + "exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "expectedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiry": { + "ignore_above": 1024, + "type": "keyword" + }, + "fams_pause": { + "type": "long" + }, + "fazlograte": { + "type": "long" + }, + "fctemssn": { + "ignore_above": 1024, + "type": "keyword" + }, + "fctuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "filefilter": { + "ignore_above": 1024, + "type": "keyword" + }, + "filehashsrc": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtercat": { + "ignore_above": 1024, + "type": "keyword" + }, + "filteridx": { + "type": "long" + }, + "filtername": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtertype": { + "ignore_above": 1024, + "type": "keyword" + }, + "fortiguardresp": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwardedfor": { + "ignore_above": 1024, + "type": "keyword" + }, + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "frametype": { + "ignore_above": 1024, + "type": "keyword" + }, + "freediskstorage": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "from_vcluster": { + "type": "long" + }, + "fsaverdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "fwserver_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "type": "ip" + }, + "green": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupid": { + "type": "long" + }, + "ha-prio": { + "type": "long" + }, + "ha_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "ha_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "handshake": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hbdn_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "highcount": { + "type": "long" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "iaid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "type": "long" + }, + "in_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentserialno": { + "type": "long" + }, + "infected": { + "type": "long" + }, + "infectedfilelevel": { + "type": "long" + }, + "informationsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "init": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "intf": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalidmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "iptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "keyword": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "lanin": { + "type": "long" + }, + "lanout": { + "type": "long" + }, + "lease": { + "type": "long" + }, + "license_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit": { + "type": "long" + }, + "line": { + "ignore_above": 1024, + "type": "keyword" + }, + "live": { + "type": "long" + }, + "local": { + "type": "ip" + }, + "log": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "ignore_above": 1024, + "type": "keyword" + }, + "lowcount": { + "type": "long" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "malform_data": { + "type": "long" + }, + "malform_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "manuf": { + "ignore_above": 1024, + "type": "keyword" + }, + "masterdstmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mastersrcmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mediumcount": { + "type": "long" + }, + "mem": { + "type": "long" + }, + "meshmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mgmtcnt": { + "type": "long" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-name": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mpsk": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "ignore_above": 1024, + "type": "keyword" + }, + "netid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "newchannel": { + "type": "long" + }, + "newchassisid": { + "type": "long" + }, + "newslot": { + "type": "long" + }, + "nextstat": { + "type": "long" + }, + "nf_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "noise": { + "type": "long" + }, + "old_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldchannel": { + "type": "long" + }, + "oldchassisid": { + "type": "long" + }, + "oldslot": { + "type": "long" + }, + "oldsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldwprof": { + "ignore_above": 1024, + "type": "keyword" + }, + "onwire": { + "ignore_above": 1024, + "type": "keyword" + }, + "opercountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "opertxpower": { + "type": "long" + }, + "osname": { + "ignore_above": 1024, + "type": "keyword" + }, + "osversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "outintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "passedcount": { + "type": "long" + }, + "passwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_notif": { + "ignore_above": 1024, + "type": "keyword" + }, + "phase2_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "policytype": { + "ignore_above": 1024, + "type": "keyword" + }, + "poolname": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "portbegin": { + "type": "long" + }, + "portend": { + "type": "long" + }, + "probeproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "processtime": { + "type": "long" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "profilegroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "profiletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtypeval": { + "type": "long" + }, + "quarskip": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaexceeded": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotamax": { + "type": "long" + }, + "quotatype": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaused": { + "type": "long" + }, + "radioband": { + "ignore_above": 1024, + "type": "keyword" + }, + "radioid": { + "type": "long" + }, + "radioidclosest": { + "type": "long" + }, + "radioiddetected": { + "type": "long" + }, + "rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdataid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcvddelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received": { + "type": "long" + }, + "receivedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "red": { + "ignore_above": 1024, + "type": "keyword" + }, + "referralurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote": { + "type": "ip" + }, + "remotewtptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "reporttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "reqtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "rssi": { + "type": "long" + }, + "rsso_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruledata": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanned": { + "type": "long" + }, + "scantime": { + "type": "long" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensitivity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor": { + "ignore_above": 1024, + "type": "keyword" + }, + "sentdelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "serialno": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "type": "long" + }, + "setuprate": { + "type": "long" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperdroprcvdbyte": { + "type": "long" + }, + "shaperdropsentbyte": { + "type": "long" + }, + "shaperperipdropbyte": { + "type": "long" + }, + "shaperperipname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperrcvdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapersentname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapingpolicyid": { + "type": "long" + }, + "signal": { + "type": "long" + }, + "size": { + "type": "long" + }, + "slot": { + "type": "long" + }, + "sn": { + "ignore_above": 1024, + "type": "keyword" + }, + "snclosest": { + "ignore_above": 1024, + "type": "keyword" + }, + "sndetected": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmeshparent": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "srccountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcname": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcserver": { + "type": "long" + }, + "srcssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sscname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssllocal": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslremote": { + "ignore_above": 1024, + "type": "keyword" + }, + "stacount": { + "type": "long" + }, + "stage": { + "ignore_above": 1024, + "type": "keyword" + }, + "stamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "stitch": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "submodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "subservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "suspicious": { + "type": "long" + }, + "switchproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sysuptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "tamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "threattype": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_vcluster": { + "type": "long" + }, + "total": { + "type": "long" + }, + "totalsession": { + "type": "long" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trandisp": { + "ignore_above": 1024, + "type": "keyword" + }, + "transid": { + "type": "long" + }, + "translationid": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "ignore_above": 1024, + "type": "keyword" + }, + "trueclntip": { + "type": "ip" + }, + "tunnelid": { + "type": "long" + }, + "tunnelip": { + "type": "ip" + }, + "tunneltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ui": { + "ignore_above": 1024, + "type": "keyword" + }, + "unauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "unit": { + "type": "long" + }, + "urlfilteridx": { + "type": "long" + }, + "urlfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "urltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "used_for_type": { + "type": "long" + }, + "utmaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "utmref": { + "ignore_above": 1024, + "type": "keyword" + }, + "vap": { + "ignore_above": 1024, + "type": "keyword" + }, + "vapmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "vcluster": { + "type": "long" + }, + "vcluster_member": { + "type": "long" + }, + "vcluster_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "vdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendorurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vip": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "virusid": { + "type": "long" + }, + "voip_proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntunnel": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntype": { + "ignore_above": 1024, + "type": "keyword" + }, + "vrf": { + "type": "long" + }, + "vulncat": { + "ignore_above": 1024, + "type": "keyword" + }, + "vulnid": { + "type": "long" + }, + "vulnname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlid": { + "type": "long" + }, + "vwlquality": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwpvlanid": { + "type": "long" + }, + "wanin": { + "type": "long" + }, + "wanoptapptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "wanout": { + "type": "long" + }, + "weakwepiv": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthuser": { + "ignore_above": 1024, + "type": "keyword" + }, + "xid": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/gcp.json b/salt/elasticsearch/templates/component/ecs/gcp.json new file mode 100644 index 000000000..5ac9dcbe4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/gcp.json @@ -0,0 +1,267 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "gcp": { + "properties": { + "audit": { + "properties": { + "authentication_info": { + "properties": { + "authority_selector": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_email": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "method_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "num_response_items": { + "type": "long" + }, + "request": { + "properties": { + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request_metadata": { + "properties": { + "caller_ip": { + "type": "ip" + }, + "caller_supplied_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_location": { + "properties": { + "current_locations": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "details": { + "properties": { + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "rule_details": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "vpcflow": { + "properties": { + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/google_workspace.json b/salt/elasticsearch/templates/component/ecs/google_workspace.json new file mode 100644 index 000000000..526bd9bb5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/google_workspace.json @@ -0,0 +1,750 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "google_workspace": { + "properties": { + "actor": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "admin": { + "properties": { + "alert": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "api": { + "properties": { + "client": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scopes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "application": { + "properties": { + "asp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "edition": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_order_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_purchased": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bulk_upload": { + "properties": { + "failed": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "chrome_licenses": { + "properties": { + "allowed": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "chrome_os": { + "properties": { + "session_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "device": { + "properties": { + "command_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "distribution": { + "properties": { + "entity": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "secondary_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "log_search_filter": { + "properties": { + "end_date": { + "type": "date" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start_date": { + "type": "date" + } + } + }, + "quarantine_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_dump": { + "properties": { + "include_deleted": { + "type": "boolean" + }, + "package_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_monitor": { + "properties": { + "dest_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "properties": { + "chat": { + "ignore_above": 1024, + "type": "keyword" + }, + "draft": { + "ignore_above": 1024, + "type": "keyword" + }, + "incoming": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "allowed_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "priorities": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "info_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mdm": { + "properties": { + "token": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mobile": { + "properties": { + "action": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "certificate": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "company_owned_devices": { + "type": "long" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "non_featured_services_selection": { + "ignore_above": 1024, + "type": "keyword" + }, + "oauth2": { + "properties": { + "application": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_unit": { + "properties": { + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "print_server": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "printer": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "privilege": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sku": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "role": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "setting": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "birthdate": { + "type": "date" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "nickname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_defined_setting": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "verification_method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "drive": { + "properties": { + "added_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "billable": { + "type": "boolean" + }, + "destination_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_shared_drive": { + "type": "boolean" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "membership_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "originating_app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_event": { + "type": "boolean" + }, + "removed_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_settings_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sheets_import_range_recipient_doc": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility_change": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "groups": { + "properties": { + "acl_permission": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "member": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "moderation_action": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "setting": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "properties": { + "affected_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "challenge_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_second_factor": { + "type": "boolean" + }, + "is_suspicious": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saml": { + "properties": { + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "orgunit_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_level_status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/juniper.json b/salt/elasticsearch/templates/component/ecs/juniper.json new file mode 100644 index 000000000..33a5f61d6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/juniper.json @@ -0,0 +1,378 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "juniper": { + "properties": { + "srx": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "apbr_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_characteristics": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_ip": { + "type": "ip" + }, + "connection_hit_rate": { + "type": "long" + }, + "connection_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_hit_rate": { + "type": "long" + }, + "context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_value_hit_rate": { + "type": "long" + }, + "ddos_application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dscp_value": { + "type": "long" + }, + "dst_nat_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_nat_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_vrf_grp": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed_time": { + "type": "date" + }, + "encrypted": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch_time": { + "type": "date" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "export_id": { + "type": "long" + }, + "feed_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_hash_lookup": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "type": "long" + }, + "inbound_bytes": { + "type": "long" + }, + "inbound_packets": { + "type": "long" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "logical_system_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_connection_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "nested_application": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj": { + "ignore_above": 1024, + "type": "keyword" + }, + "occur_count": { + "type": "long" + }, + "outbound_bytes": { + "type": "long" + }, + "outbound_packets": { + "type": "long" + }, + "packet_log_id": { + "type": "long" + }, + "peer_destination_address": { + "type": "ip" + }, + "peer_destination_port": { + "type": "long" + }, + "peer_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_source_address": { + "type": "ip" + }, + "peer_source_port": { + "type": "long" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "repeat_count": { + "type": "long" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing_instance": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleebase_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sample_sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "secure_web_proxy_session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id_32": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_nat_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_nat_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_vrf_grp": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "temporary_filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "th": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_count": { + "type": "long" + }, + "time_period": { + "type": "long" + }, + "time_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uplink_rx_bytes": { + "type": "long" + }, + "uplink_tx_bytes": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict_number": { + "type": "long" + }, + "verdict_source": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/microsoft.json b/salt/elasticsearch/templates/component/ecs/microsoft.json new file mode 100644 index 000000000..512b99c79 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/microsoft.json @@ -0,0 +1,265 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "microsoft": { + "properties": { + "defender_atp": { + "properties": { + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "aadUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "type": "ip" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdateTime": { + "type": "date" + }, + "rbacGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "m365_defender": { + "properties": { + "alerts": { + "properties": { + "actorName": { + "ignore_above": 1024, + "type": "keyword" + }, + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "creationTime": { + "type": "date" + }, + "detectionSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "devices": { + "type": "flattened" + }, + "entities": { + "properties": { + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "clusterBy": { + "ignore_above": 1024, + "type": "keyword" + }, + "deliveryAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailboxAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailboxDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryHive": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryValueType": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sender": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdatedTime": { + "type": "date" + }, + "mitreTechniques": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + }, + "userSid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentName": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirectIncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/misp.json b/salt/elasticsearch/templates/component/ecs/misp.json new file mode 100644 index 000000000..8150371ec --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/misp.json @@ -0,0 +1,425 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "misp": { + "properties": { + "attack_pattern": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "campaign": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "objective": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "course_of_action": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "contact_information": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sectors": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "intrusion_set": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + } + } + }, + "malware": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "note": { + "properties": { + "authors": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "ignore_above": 1024, + "type": "keyword" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observed_data": { + "properties": { + "first_observed": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_observed": { + "type": "date" + }, + "number_observed": { + "type": "long" + }, + "objects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "report": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "norms": false, + "type": "text" + }, + "published": { + "type": "date" + } + } + }, + "threat_actor": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "personal_motivations": { + "norms": false, + "type": "text" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "roles": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + }, + "sophistication": { + "norms": false, + "type": "text" + } + } + }, + "threat_indicator": { + "properties": { + "attack_pattern": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_pattern_kql": { + "ignore_above": 1024, + "type": "keyword" + }, + "campaign": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "feed": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "intrusion_set": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_tactic": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_technique": { + "ignore_above": 1024, + "type": "keyword" + }, + "negate": { + "type": "boolean" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_actor": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "valid_from": { + "type": "date" + }, + "valid_until": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "norms": false, + "type": "text" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tool_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/o365.json b/salt/elasticsearch/templates/component/ecs/o365.json new file mode 100644 index 000000000..d1bdb29b1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/o365.json @@ -0,0 +1,445 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "o365": { + "properties": { + "audit": { + "properties": { + "AADGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorIpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorYammerUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertEntityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AzureActiveDirectoryEventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIP": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIPAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfoString": { + "ignore_above": 1024, + "type": "keyword" + }, + "Comments": { + "norms": false, + "type": "text" + }, + "CommunicationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorrelationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CustomUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Data": { + "ignore_above": 1024, + "type": "keyword" + }, + "DataType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DoNotDistributeEvent": { + "type": "boolean" + }, + "EntityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ErrorNumber": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventData": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExceptionInfo": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExchangeMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExtendedProperties": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExternalAccess": { + "ignore_above": 1024, + "type": "keyword" + }, + "FromApp": { + "type": "boolean" + }, + "GroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImplicitShare": { + "ignore_above": 1024, + "type": "keyword" + }, + "IncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InterSystemsId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InternalLogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntraSystemId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IsDocLib": { + "type": "boolean" + }, + "Item": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + }, + "type": "object" + } + } + }, + "ItemCount": { + "type": "long" + }, + "ItemName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ItemType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListBaseTemplateType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListBaseType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListColor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListIcon": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListItemUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListTitle": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonError": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerMasterAccountSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerUPN": { + "ignore_above": 1024, + "type": "keyword" + }, + "Members": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ModifiedProperties": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + } + } + } + }, + "Name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginatingServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "Parameters": { + "properties": { + "*": { + "type": "object" + } + } + }, + "PolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "RecordType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ResultStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "SensitiveInfoDetectionIsIncluded": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "SharePointMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "Site": { + "ignore_above": 1024, + "type": "keyword" + }, + "SiteUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Source": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileExtension": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceRelativeUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "SupportTicketId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TemplateTypeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UniqueSharingId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAgent": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "WebId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workload": { + "ignore_above": 1024, + "type": "keyword" + }, + "YammerNetworkId": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/okta.json b/salt/elasticsearch/templates/component/ecs/okta.json new file mode 100644 index 000000000..dcfaab1c2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/okta.json @@ -0,0 +1,293 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "okta": { + "properties": { + "actor": { + "properties": { + "alternate_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "authentication_context": { + "properties": { + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_step": { + "type": "long" + }, + "credential_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "credential_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user_agent": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "debug_context": { + "properties": { + "debug_data": { + "properties": { + "device_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "suspicious_activity": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_city": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_ip": { + "type": "ip" + }, + "event_latitude": { + "type": "float" + }, + "event_longitude": { + "type": "float" + }, + "event_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + } + } + }, + "threat_suspected": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "display_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "ip_chain": { + "properties": { + "geographical_context": { + "properties": { + "city": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "geolocation": { + "type": "geo_point" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "security_context": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_proxy": { + "type": "boolean" + }, + "isp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "type": "flattened" + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/redis.json b/salt/elasticsearch/templates/component/ecs/redis.json new file mode 100644 index 000000000..925f55c62 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/redis.json @@ -0,0 +1,50 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "redis": { + "properties": { + "log": { + "properties": { + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json new file mode 100644 index 000000000..ab0dcd2fb --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/snyk.json @@ -0,0 +1,147 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "snyk": { + "properties": { + "audit": { + "properties": { + "content": { + "type": "flattened" + }, + "org_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "projecre_above": 1024, + "type": "keyword" + } + } + }, + "projects": { + "type": "flattened" + }, + "related": { + "properties": { + "projects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerabilities": { + "properties": { + "credit": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss3": { + "ignore_above": 1024, + "type": "keyword" + }, + "disclosure_time": { + "type": "date" + }, + "exploit_maturity": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifiers": { + "properties": { + "alternative": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "introduced_date": { + "type": "date" + }, + "is_fixed": { + "type": "boolean" + }, + "is_ignored": { + "type": "boolean" + }, + "is_patchable": { + "type": "boolean" + }, + "is_patched": { + "type": "boolean" + }, + "is_pinnable": { + "type": "boolean" + }, + "is_upgradable": { + "type": "boolean" + }, + "jira_issue_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_severity": { + "type": "long" + }, + "package": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_manager": { + "ignore_above": 1024, + "type": "keyword" + }, + "patches": { + "type": "flattened" + }, + "priority_score": { + "type": "long" + }, + "publication_time": { + "type": "date" + }, + "reachability": { + "ignore_above": 1024, + "type": "keyword" + }, + "semver": { + "type": "flattened" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_severities_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/sophos.json b/salt/elasticsearch/templates/component/ecs/sophos.json new file mode 100644 index 000000000..a5606f962 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/sophos.json @@ -0,0 +1,722 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "sophos": { + "properties": { + "xg": { + "properties": { + "Configuration": { + "type": "float" + }, + "Mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "PHPSESSID": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reports": { + "type": "float" + }, + "Signature": { + "type": "float" + }, + "SysLog_SERVER_NAME": { + "ignore_above": 1024, + "type": "keyword" + }, + "Temp": { + "type": "float" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activityname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_is_cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "appfilter_policy_id": { + "type": "long" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_filter_policy": { + "type": "long" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "appresolvedby": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_client": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_mechanism": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backup_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "branch_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "category_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_physical_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "clients_conn_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "collisions": { + "type": "long" + }, + "con_id": { + "type": "long" + }, + "conn_id": { + "type": "long" + }, + "connectionname": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectiontype": { + "ignore_above": 1024, + "type": "keyword" + }, + "connevent": { + "ignore_above": 1024, + "type": "keyword" + }, + "connid": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_match": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_prefix": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "destinationip": { + "type": "ip" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dictionary_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dir_disp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_ip": { + "type": "ip" + }, + "dst_port": { + "type": "long" + }, + "dstdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ep_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtime": { + "type": "date" + }, + "eventtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "exceptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "execution_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "extra": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesize": { + "type": "long" + }, + "free": { + "type": "long" + }, + "from_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftpcommand": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_rule_id": { + "type": "long" + }, + "hb_health": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "httpresponsecode": { + "type": "long" + }, + "iap": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "idle_cpu": { + "type": "float" + }, + "idp_policy_id": { + "type": "long" + }, + "idp_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipaddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ips_policy_id": { + "type": "long" + }, + "localgateway": { + "ignore_above": 1024, + "type": "keyword" + }, + "localnetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_component": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "login_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailsize": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "newversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_authorizer": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_token": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "querystring": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received_pkts": { + "type": "long" + }, + "receiveddrops": { + "type": "long" + }, + "receivederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "receivedkbits": { + "type": "long" + }, + "recv_bytes": { + "type": "long" + }, + "red_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remotenetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "responsetime": { + "type": "long" + }, + "rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "sent_bytes": { + "type": "long" + }, + "sent_pkts": { + "type": "long" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1sum": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceip": { + "type": "ip" + }, + "spamaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "sqli": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_ip": { + "type": "ip" + }, + "src_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_port": { + "type": "long" + }, + "srczone": { + "ignore_above": 1024, + "type": "keyword" + }, + "srczonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "starttime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_cpu": { + "type": "float" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatname": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_memory": { + "type": "long" + }, + "trans_dst_ip": { + "type": "ip" + }, + "trans_dst_port": { + "type": "long" + }, + "trans_src_ip": { + "type": "ip" + }, + "trans_src_port": { + "type": "long" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "transactionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmitteddrops": { + "type": "long" + }, + "transmittederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmittedkbits": { + "type": "long" + }, + "unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "updatedip": { + "type": "ip" + }, + "upload_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "upload_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_cpu": { + "type": "float" + }, + "user_gp": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "users": { + "ignore_above": 1024, + "type": "keyword" + }, + "vconn_id": { + "type": "long" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "website": { + "ignore_above": 1024, + "type": "keyword" + }, + "xss": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/syslog.json b/salt/elasticsearch/templates/component/ecs/syslog.json new file mode 100644 index 000000000..c886589e9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/syslog.json @@ -0,0 +1,30 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "syslog": { + "properties": { + "facility": { + "type": "long" + }, + "facility_label": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "severity_label": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja index 09e61fa8a..9751fb0f3 100644 --- a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja @@ -43,6 +43,7 @@ "composed_of": [ "agent-mappings", "dtc-agent-mappings", + "aws-mappings", "base-mappings", "dtc-base-mappings", "client-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja index 366acb167..f663e0b82 100644 --- a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja @@ -43,6 +43,7 @@ "composed_of": [ "agent-mappings", "dtc-agent-mappings", + "azure-mappings", "base-mappings", "dtc-base-mappings", "client-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja index c47d36875..84e175a88 100644 --- a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja @@ -45,6 +45,7 @@ "dtc-agent-mappings", "base-mappings", "dtc-base-mappings", + "cef-mappings", "client-mappings", "cloud-mappings", "container-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja index 458c675ac..ee76932d4 100644 --- a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja @@ -45,6 +45,7 @@ "dtc-agent-mappings", "base-mappings", "dtc-base-mappings", + "checkpoint-mappings", "client-mappings", "cloud-mappings", "container-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja index b506026f8..6b8396815 100644 --- a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja @@ -46,6 +46,7 @@ "dtc-agent-mappings", "base-mappings", "dtc-base-mappings", + "cisco-mappings", "client-mappings", "cloud-mappings", "container-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja index d0e2802e5..6644f274b 100644 --- a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja @@ -48,6 +48,7 @@ "client-mappings", "cloud-mappings", "container-mappings", + "cyberark-mappings", "data_stream-mappings", "destination-mappings", "dll-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja index 00fa7be2a..d04193d31 100644 --- a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja @@ -60,6 +60,7 @@ "dtc-event-mappings", "file-mappings", "dtc-file-mappings", + "fortinet-mappings", "group-mappings", "host-mappings", "dtc-host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja index aa964a52d..78a39f158 100644 --- a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja @@ -60,6 +60,7 @@ "dtc-event-mappings", "file-mappings", "dtc-file-mappings", + "gcp-mappings", "group-mappings", "host-mappings", "dtc-host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja index 5816a94f3..1aa207d57 100644 --- a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja @@ -60,6 +60,7 @@ "dtc-event-mappings", "file-mappings", "dtc-file-mappings", + "google_workspace-mappings", "group-mappings", "host-mappings", "dtc-host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja index 1f2eca87c..a1aaa5cd0 100644 --- a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja @@ -65,6 +65,7 @@ "dtc-host-mappings", "http-mappings", "dtc-http-mappings", + "juniper-mappings", "log-mappings", "network-mappings", "dtc-network-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja index 6105b1e00..d0b7d2cbb 100644 --- a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja @@ -66,6 +66,7 @@ "http-mappings", "dtc-http-mappings", "log-mappings", + "microsoft-mappings", "network-mappings", "dtc-network-mappings", "observer-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja index a2b2a0d63..046ffa6e7 100644 --- a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja @@ -66,6 +66,7 @@ "http-mappings", "dtc-http-mappings", "log-mappings", + "misp-mappings", "network-mappings", "dtc-network-mappings", "observer-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja index c34cbbd37..da688ea75 100644 --- a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja @@ -68,6 +68,7 @@ "log-mappings", "network-mappings", "dtc-network-mappings", + "o365-mappings", "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja index e45a664d9..26488c4b2 100644 --- a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja @@ -70,6 +70,7 @@ "dtc-network-mappings", "observer-mappings", "dtc-observer-mappings", + "okta-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja index 8eb44cb87..8cf1a3777 100644 --- a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja @@ -77,6 +77,7 @@ "dtc-process-mappings", "registry-mappings", "related-mappings", + "redis-mappings", "rule-mappings", "dtc-rule-mappings", "server-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja index c22a6d9bd..42cff57ce 100644 --- a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja @@ -82,6 +82,7 @@ "server-mappings", "service-mappings", "dtc-service-mappings", + "snyk-mappings", "source-mappings", "threat-mappings", "tls-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja index 1eda879fb..c8c95f178 100644 --- a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja @@ -82,6 +82,7 @@ "server-mappings", "service-mappings", "dtc-service-mappings", + "sophos-mappings", "source-mappings", "threat-mappings", "tls-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja index af609836e..41215e262 100644 --- a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja @@ -83,6 +83,7 @@ "service-mappings", "dtc-service-mappings", "source-mappings", + "syslog-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", From 2dd5db15b66b2266a62eea98f952c7ca88728776 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 03:40:42 +0000 Subject: [PATCH 32/40] Add component and index template listing scripts --- .../so-elasticsearch-component-templates-list | 23 +++++++++++++++++++ .../so-elasticsearch-index-templates-list | 23 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100755 salt/common/tools/sbin/so-elasticsearch-component-templates-list create mode 100755 salt/common/tools/sbin/so-elasticsearch-index-templates-list diff --git a/salt/common/tools/sbin/so-elasticsearch-component-templates-list b/salt/common/tools/sbin/so-elasticsearch-component-templates-list new file mode 100755 index 000000000..69deb1873 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-component-templates-list @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +. /usr/sbin/so-common +if [ "$1" == "" ]; then + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort +else + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq +fi diff --git a/salt/common/tools/sbin/so-elasticsearch-index-templates-list b/salt/common/tools/sbin/so-elasticsearch-index-templates-list new file mode 100755 index 000000000..84fecc565 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-index-templates-list @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +. /usr/sbin/so-common +if [ "$1" == "" ]; then + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort +else + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq +fi From 6d0ca6fcbbb49027467f7a1bf303edfa9e0cbc2f Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 12:59:07 +0000 Subject: [PATCH 33/40] Fix mangled key name/typo --- salt/elasticsearch/templates/component/ecs/snyk.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json index ab0dcd2fb..a8ed3889d 100644 --- a/salt/elasticsearch/templates/component/ecs/snyk.json +++ b/salt/elasticsearch/templates/component/ecs/snyk.json @@ -17,7 +17,7 @@ "ignore_above": 1024, "type": "keyword" }, - "projecre_above": 1024, + "ignore_above": 1024, "type": "keyword" } } From 2951e12c965c3fe9ff91b635b451c705aa91a899 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 13:16:59 +0000 Subject: [PATCH 34/40] Remove snyk component template for now and fix folder structure --- .../ecs/newcomponents/elasticsearch.json | 25 - .../component/ecs/newcomponents/kibana.json | 75 - .../component/ecs/newcomponents/logstash.json | 99 - .../component/ecs/newcomponents/netflow.json | 1423 ---------- .../component/ecs/newcomponents/suricata.json | 850 ------ .../component/ecs/newcomponents/zeek.json | 2279 ----------------- .../templates/component/ecs/snyk.json | 147 -- 7 files changed, 4898 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json delete mode 100644 salt/elasticsearch/templates/component/ecs/snyk.json diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json deleted file mode 100644 index f409ed95a..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "@timestamp": { - "type": "date" - }, - "labels": { - "type": "object" - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } -} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json b/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json deleted file mode 100644 index d1ea67de7..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "kibana": { - "properties": { - "add_to_spaces": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delete_from_spaces": { - "ignore_above": 1024, - "type": "keyword" - }, - "log": { - "properties": { - "meta": { - "type": "object" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "lookup_realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "saved_object": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "space_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json b/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json deleted file mode 100644 index ecfb17551..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "logstash": { - "properties": { - "log": { - "properties": { - "log_event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "slowlog": { - "properties": { - "event": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_params": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_params_object": { - "type": "object" - }, - "plugin_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "took_in_millis": { - "type": "long" - } - } - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json b/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json deleted file mode 100644 index 10f34c3d4..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json +++ /dev/null @@ -1,1423 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "netflow": { - "properties": { - "absolute_error": { - "type": "double" - }, - "address_pool_high_threshold": { - "type": "long" - }, - "address_pool_low_threshold": { - "type": "long" - }, - "address_port_mapping_high_threshold": { - "type": "long" - }, - "address_port_mapping_low_threshold": { - "type": "long" - }, - "address_port_mapping_per_user_high_threshold": { - "type": "long" - }, - "anonymization_flags": { - "type": "long" - }, - "anonymization_technique": { - "type": "long" - }, - "application_category_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_group_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_id": { - "type": "short" - }, - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_sub_category_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "bgp_destination_as_number": { - "type": "long" - }, - "bgp_next_adjacent_as_number": { - "type": "long" - }, - "bgp_next_hop_ipv4_address": { - "type": "ip" - }, - "bgp_next_hop_ipv6_address": { - "type": "ip" - }, - "bgp_prev_adjacent_as_number": { - "type": "long" - }, - "bgp_source_as_number": { - "type": "long" - }, - "bgp_validity_state": { - "type": "short" - }, - "biflow_direction": { - "type": "short" - }, - "class_id": { - "type": "long" - }, - "class_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification_engine_id": { - "type": "short" - }, - "collection_time_milliseconds": { - "type": "date" - }, - "collector_certificate": { - "type": "short" - }, - "collector_ipv4_address": { - "type": "ip" - }, - "collector_ipv6_address": { - "type": "ip" - }, - "collector_transport_port": { - "type": "long" - }, - "common_properties_id": { - "type": "long" - }, - "confidence_level": { - "type": "double" - }, - "connection_sum_duration_seconds": { - "type": "long" - }, - "connection_transaction_id": { - "type": "long" - }, - "data_link_frame_section": { - "type": "short" - }, - "data_link_frame_size": { - "type": "long" - }, - "data_link_frame_type": { - "type": "long" - }, - "data_records_reliability": { - "type": "boolean" - }, - "delta_flow_count": { - "type": "long" - }, - "destination_ipv4_address": { - "type": "ip" - }, - "destination_ipv4_prefix": { - "type": "ip" - }, - "destination_ipv4_prefix_length": { - "type": "short" - }, - "destination_ipv6_address": { - "type": "ip" - }, - "destination_ipv6_prefix": { - "type": "ip" - }, - "destination_ipv6_prefix_length": { - "type": "short" - }, - "destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_transport_port": { - "type": "long" - }, - "digest_hash_value": { - "type": "long" - }, - "distinct_count_of_destination_ip_address": { - "type": "long" - }, - "distinct_count_of_destination_ipv4_address": { - "type": "long" - }, - "distinct_count_of_destination_ipv6_address": { - "type": "long" - }, - "distinct_count_of_source_ip_address": { - "type": "long" - }, - "distinct_count_of_source_ipv4_address": { - "type": "long" - }, - "distinct_count_of_source_ipv6_address": { - "type": "long" - }, - "dot1q_customer_dei": { - "type": "boolean" - }, - "dot1q_customer_destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "dot1q_customer_priority": { - "type": "short" - }, - "dot1q_customer_source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "dot1q_customer_vlan_id": { - "type": "long" - }, - "dot1q_dei": { - "type": "boolean" - }, - "dot1q_priority": { - "type": "short" - }, - "dot1q_service_instance_id": { - "type": "long" - }, - "dot1q_service_instance_priority": { - "type": "short" - }, - "dot1q_service_instance_tag": { - "type": "short" - }, - "dot1q_vlan_id": { - "type": "long" - }, - "dropped_layer2_octet_delta_count": { - "type": "long" - }, - "dropped_layer2_octet_total_count": { - "type": "long" - }, - "dropped_octet_delta_count": { - "type": "long" - }, - "dropped_octet_total_count": { - "type": "long" - }, - "dropped_packet_delta_count": { - "type": "long" - }, - "dropped_packet_total_count": { - "type": "long" - }, - "dst_traffic_index": { - "type": "long" - }, - "egress_broadcast_packet_total_count": { - "type": "long" - }, - "egress_interface": { - "type": "long" - }, - "egress_interface_type": { - "type": "long" - }, - "egress_physical_interface": { - "type": "long" - }, - "egress_unicast_packet_total_count": { - "type": "long" - }, - "egress_vrfid": { - "type": "long" - }, - "encrypted_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "engine_id": { - "type": "short" - }, - "engine_type": { - "type": "short" - }, - "ethernet_header_length": { - "type": "short" - }, - "ethernet_payload_length": { - "type": "long" - }, - "ethernet_total_length": { - "type": "long" - }, - "ethernet_type": { - "type": "long" - }, - "export_interface": { - "type": "long" - }, - "export_protocol_version": { - "type": "short" - }, - "export_sctp_stream_id": { - "type": "long" - }, - "export_transport_protocol": { - "type": "short" - }, - "exported_flow_record_total_count": { - "type": "long" - }, - "exported_message_total_count": { - "type": "long" - }, - "exported_octet_total_count": { - "type": "long" - }, - "exporter": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_id": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "uptime_millis": { - "type": "long" - }, - "version": { - "type": "long" - } - } - }, - "exporter_certificate": { - "type": "short" - }, - "exporter_ipv4_address": { - "type": "ip" - }, - "exporter_ipv6_address": { - "type": "ip" - }, - "exporter_transport_port": { - "type": "long" - }, - "exporting_process_id": { - "type": "long" - }, - "external_address_realm": { - "type": "short" - }, - "firewall_event": { - "type": "short" - }, - "flags_and_sampler_id": { - "type": "long" - }, - "flow_active_timeout": { - "type": "long" - }, - "flow_direction": { - "type": "short" - }, - "flow_duration_microseconds": { - "type": "long" - }, - "flow_duration_milliseconds": { - "type": "long" - }, - "flow_end_delta_microseconds": { - "type": "long" - }, - "flow_end_microseconds": { - "type": "date" - }, - "flow_end_milliseconds": { - "type": "date" - }, - "flow_end_nanoseconds": { - "type": "date" - }, - "flow_end_reason": { - "type": "short" - }, - "flow_end_seconds": { - "type": "date" - }, - "flow_end_sys_up_time": { - "type": "long" - }, - "flow_id": { - "type": "long" - }, - "flow_idle_timeout": { - "type": "long" - }, - "flow_key_indicator": { - "type": "long" - }, - "flow_label_ipv6": { - "type": "long" - }, - "flow_sampling_time_interval": { - "type": "long" - }, - "flow_sampling_time_spacing": { - "type": "long" - }, - "flow_selected_flow_delta_count": { - "type": "long" - }, - "flow_selected_octet_delta_count": { - "type": "long" - }, - "flow_selected_packet_delta_count": { - "type": "long" - }, - "flow_selector_algorithm": { - "type": "long" - }, - "flow_start_delta_microseconds": { - "type": "long" - }, - "flow_start_microseconds": { - "type": "date" - }, - "flow_start_milliseconds": { - "type": "date" - }, - "flow_start_nanoseconds": { - "type": "date" - }, - "flow_start_seconds": { - "type": "date" - }, - "flow_start_sys_up_time": { - "type": "long" - }, - "forwarding_status": { - "type": "short" - }, - "fragment_flags": { - "type": "short" - }, - "fragment_identification": { - "type": "long" - }, - "fragment_offset": { - "type": "long" - }, - "global_address_mapping_high_threshold": { - "type": "long" - }, - "gre_key": { - "type": "long" - }, - "hash_digest_output": { - "type": "boolean" - }, - "hash_flow_domain": { - "type": "long" - }, - "hash_initialiser_value": { - "type": "long" - }, - "hash_ip_payload_offset": { - "type": "long" - }, - "hash_ip_payload_size": { - "type": "long" - }, - "hash_output_range_max": { - "type": "long" - }, - "hash_output_range_min": { - "type": "long" - }, - "hash_selected_range_max": { - "type": "long" - }, - "hash_selected_range_min": { - "type": "long" - }, - "http_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_message_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_reason_phrase": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_status_code": { - "type": "long" - }, - "http_user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code_ipv4": { - "type": "short" - }, - "icmp_code_ipv6": { - "type": "short" - }, - "icmp_type_code_ipv4": { - "type": "long" - }, - "icmp_type_code_ipv6": { - "type": "long" - }, - "icmp_type_ipv4": { - "type": "short" - }, - "icmp_type_ipv6": { - "type": "short" - }, - "igmp_type": { - "type": "short" - }, - "ignored_data_record_total_count": { - "type": "long" - }, - "ignored_layer2_frame_total_count": { - "type": "long" - }, - "ignored_layer2_octet_total_count": { - "type": "long" - }, - "ignored_octet_total_count": { - "type": "long" - }, - "ignored_packet_total_count": { - "type": "long" - }, - "information_element_data_type": { - "type": "short" - }, - "information_element_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "information_element_id": { - "type": "long" - }, - "information_element_index": { - "type": "long" - }, - "information_element_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "information_element_range_begin": { - "type": "long" - }, - "information_element_range_end": { - "type": "long" - }, - "information_element_semantics": { - "type": "short" - }, - "information_element_units": { - "type": "long" - }, - "ingress_broadcast_packet_total_count": { - "type": "long" - }, - "ingress_interface": { - "type": "long" - }, - "ingress_interface_type": { - "type": "long" - }, - "ingress_multicast_packet_total_count": { - "type": "long" - }, - "ingress_physical_interface": { - "type": "long" - }, - "ingress_unicast_packet_total_count": { - "type": "long" - }, - "ingress_vrfid": { - "type": "long" - }, - "initiator_octets": { - "type": "long" - }, - "initiator_packets": { - "type": "long" - }, - "interface_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "intermediate_process_id": { - "type": "long" - }, - "internal_address_realm": { - "type": "short" - }, - "ip_class_of_service": { - "type": "short" - }, - "ip_diff_serv_code_point": { - "type": "short" - }, - "ip_header_length": { - "type": "short" - }, - "ip_header_packet_section": { - "type": "short" - }, - "ip_next_hop_ipv4_address": { - "type": "ip" - }, - "ip_next_hop_ipv6_address": { - "type": "ip" - }, - "ip_payload_length": { - "type": "long" - }, - "ip_payload_packet_section": { - "type": "short" - }, - "ip_precedence": { - "type": "short" - }, - "ip_sec_spi": { - "type": "long" - }, - "ip_total_length": { - "type": "long" - }, - "ip_ttl": { - "type": "short" - }, - "ip_version": { - "type": "short" - }, - "ipv4_ihl": { - "type": "short" - }, - "ipv4_options": { - "type": "long" - }, - "ipv4_router_sc": { - "type": "ip" - }, - "ipv6_extension_headers": { - "type": "long" - }, - "is_multicast": { - "type": "short" - }, - "layer2_frame_delta_count": { - "type": "long" - }, - "layer2_frame_total_count": { - "type": "long" - }, - "layer2_octet_delta_count": { - "type": "long" - }, - "layer2_octet_delta_sum_of_squares": { - "type": "long" - }, - "layer2_octet_total_count": { - "type": "long" - }, - "layer2_octet_total_sum_of_squares": { - "type": "long" - }, - "layer2_segment_id": { - "type": "long" - }, - "layer2packet_section_data": { - "type": "short" - }, - "layer2packet_section_offset": { - "type": "long" - }, - "layer2packet_section_size": { - "type": "long" - }, - "line_card_id": { - "type": "long" - }, - "lower_ci_limit": { - "type": "double" - }, - "max_bib_entries": { - "type": "long" - }, - "max_entries_per_user": { - "type": "long" - }, - "max_export_seconds": { - "type": "date" - }, - "max_flow_end_microseconds": { - "type": "date" - }, - "max_flow_end_milliseconds": { - "type": "date" - }, - "max_flow_end_nanoseconds": { - "type": "date" - }, - "max_flow_end_seconds": { - "type": "date" - }, - "max_fragments_pending_reassembly": { - "type": "long" - }, - "max_session_entries": { - "type": "long" - }, - "max_subscribers": { - "type": "long" - }, - "maximum_ip_total_length": { - "type": "long" - }, - "maximum_layer2_total_length": { - "type": "long" - }, - "maximum_ttl": { - "type": "short" - }, - "message_md5_checksum": { - "type": "short" - }, - "message_scope": { - "type": "short" - }, - "metering_process_id": { - "type": "long" - }, - "metro_evc_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "metro_evc_type": { - "type": "short" - }, - "mib_capture_time_semantics": { - "type": "short" - }, - "mib_context_engine_id": { - "type": "short" - }, - "mib_context_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_index_indicator": { - "type": "long" - }, - "mib_module_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_identifier": { - "type": "short" - }, - "mib_object_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_syntax": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_value_bits": { - "type": "short" - }, - "mib_object_value_counter": { - "type": "long" - }, - "mib_object_value_gauge": { - "type": "long" - }, - "mib_object_value_integer": { - "type": "long" - }, - "mib_object_value_ip_address": { - "type": "ip" - }, - "mib_object_value_octet_string": { - "type": "short" - }, - "mib_object_value_oid": { - "type": "short" - }, - "mib_object_value_time_ticks": { - "type": "long" - }, - "mib_object_value_unsigned": { - "type": "long" - }, - "mib_sub_identifier": { - "type": "long" - }, - "min_export_seconds": { - "type": "date" - }, - "min_flow_start_microseconds": { - "type": "date" - }, - "min_flow_start_milliseconds": { - "type": "date" - }, - "min_flow_start_nanoseconds": { - "type": "date" - }, - "min_flow_start_seconds": { - "type": "date" - }, - "minimum_ip_total_length": { - "type": "long" - }, - "minimum_layer2_total_length": { - "type": "long" - }, - "minimum_ttl": { - "type": "short" - }, - "mobile_imsi": { - "ignore_above": 1024, - "type": "keyword" - }, - "mobile_msisdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "monitoring_interval_end_milli_seconds": { - "type": "date" - }, - "monitoring_interval_start_milli_seconds": { - "type": "date" - }, - "mpls_label_stack_depth": { - "type": "long" - }, - "mpls_label_stack_length": { - "type": "long" - }, - "mpls_label_stack_section": { - "type": "short" - }, - "mpls_label_stack_section10": { - "type": "short" - }, - "mpls_label_stack_section2": { - "type": "short" - }, - "mpls_label_stack_section3": { - "type": "short" - }, - "mpls_label_stack_section4": { - "type": "short" - }, - "mpls_label_stack_section5": { - "type": "short" - }, - "mpls_label_stack_section6": { - "type": "short" - }, - "mpls_label_stack_section7": { - "type": "short" - }, - "mpls_label_stack_section8": { - "type": "short" - }, - "mpls_label_stack_section9": { - "type": "short" - }, - "mpls_payload_length": { - "type": "long" - }, - "mpls_payload_packet_section": { - "type": "short" - }, - "mpls_top_label_exp": { - "type": "short" - }, - "mpls_top_label_ipv4_address": { - "type": "ip" - }, - "mpls_top_label_ipv6_address": { - "type": "ip" - }, - "mpls_top_label_prefix_length": { - "type": "short" - }, - "mpls_top_label_stack_section": { - "type": "short" - }, - "mpls_top_label_ttl": { - "type": "short" - }, - "mpls_top_label_type": { - "type": "short" - }, - "mpls_vpn_route_distinguisher": { - "type": "short" - }, - "multicast_replication_factor": { - "type": "long" - }, - "nat_event": { - "type": "short" - }, - "nat_instance_id": { - "type": "long" - }, - "nat_originating_address_realm": { - "type": "short" - }, - "nat_pool_id": { - "type": "long" - }, - "nat_pool_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_quota_exceeded_event": { - "type": "long" - }, - "nat_threshold_event": { - "type": "long" - }, - "nat_type": { - "type": "short" - }, - "new_connection_delta_count": { - "type": "long" - }, - "next_header_ipv6": { - "type": "short" - }, - "not_sent_flow_total_count": { - "type": "long" - }, - "not_sent_layer2_octet_total_count": { - "type": "long" - }, - "not_sent_octet_total_count": { - "type": "long" - }, - "not_sent_packet_total_count": { - "type": "long" - }, - "observation_domain_id": { - "type": "long" - }, - "observation_domain_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observation_point_id": { - "type": "long" - }, - "observation_point_type": { - "type": "short" - }, - "observation_time_microseconds": { - "type": "date" - }, - "observation_time_milliseconds": { - "type": "date" - }, - "observation_time_nanoseconds": { - "type": "date" - }, - "observation_time_seconds": { - "type": "date" - }, - "observed_flow_total_count": { - "type": "long" - }, - "octet_delta_count": { - "type": "long" - }, - "octet_delta_sum_of_squares": { - "type": "long" - }, - "octet_total_count": { - "type": "long" - }, - "octet_total_sum_of_squares": { - "type": "long" - }, - "opaque_octets": { - "type": "short" - }, - "original_exporter_ipv4_address": { - "type": "ip" - }, - "original_exporter_ipv6_address": { - "type": "ip" - }, - "original_flows_completed": { - "type": "long" - }, - "original_flows_initiated": { - "type": "long" - }, - "original_flows_present": { - "type": "long" - }, - "original_observation_domain_id": { - "type": "long" - }, - "p2p_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_delta_count": { - "type": "long" - }, - "packet_total_count": { - "type": "long" - }, - "padding_octets": { - "type": "short" - }, - "payload_length_ipv6": { - "type": "long" - }, - "port_id": { - "type": "long" - }, - "port_range_end": { - "type": "long" - }, - "port_range_num_ports": { - "type": "long" - }, - "port_range_start": { - "type": "long" - }, - "port_range_step_size": { - "type": "long" - }, - "post_destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "post_dot1q_customer_vlan_id": { - "type": "long" - }, - "post_dot1q_vlan_id": { - "type": "long" - }, - "post_ip_class_of_service": { - "type": "short" - }, - "post_ip_diff_serv_code_point": { - "type": "short" - }, - "post_ip_precedence": { - "type": "short" - }, - "post_layer2_octet_delta_count": { - "type": "long" - }, - "post_layer2_octet_total_count": { - "type": "long" - }, - "post_mcast_layer2_octet_delta_count": { - "type": "long" - }, - "post_mcast_layer2_octet_total_count": { - "type": "long" - }, - "post_mcast_octet_delta_count": { - "type": "long" - }, - "post_mcast_octet_total_count": { - "type": "long" - }, - "post_mcast_packet_delta_count": { - "type": "long" - }, - "post_mcast_packet_total_count": { - "type": "long" - }, - "post_mpls_top_label_exp": { - "type": "short" - }, - "post_napt_destination_transport_port": { - "type": "long" - }, - "post_napt_source_transport_port": { - "type": "long" - }, - "post_nat_destination_ipv4_address": { - "type": "ip" - }, - "post_nat_destination_ipv6_address": { - "type": "ip" - }, - "post_nat_source_ipv4_address": { - "type": "ip" - }, - "post_nat_source_ipv6_address": { - "type": "ip" - }, - "post_octet_delta_count": { - "type": "long" - }, - "post_octet_total_count": { - "type": "long" - }, - "post_packet_delta_count": { - "type": "long" - }, - "post_packet_total_count": { - "type": "long" - }, - "post_source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "post_vlan_id": { - "type": "long" - }, - "private_enterprise_number": { - "type": "long" - }, - "protocol_identifier": { - "type": "short" - }, - "pseudo_wire_control_word": { - "type": "long" - }, - "pseudo_wire_destination_ipv4_address": { - "type": "ip" - }, - "pseudo_wire_id": { - "type": "long" - }, - "pseudo_wire_type": { - "type": "long" - }, - "relative_error": { - "type": "double" - }, - "responder_octets": { - "type": "long" - }, - "responder_packets": { - "type": "long" - }, - "rfc3550_jitter_microseconds": { - "type": "long" - }, - "rfc3550_jitter_milliseconds": { - "type": "long" - }, - "rfc3550_jitter_nanoseconds": { - "type": "long" - }, - "rtp_sequence_number": { - "type": "long" - }, - "sampler_id": { - "type": "short" - }, - "sampler_mode": { - "type": "short" - }, - "sampler_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sampler_random_interval": { - "type": "long" - }, - "sampling_algorithm": { - "type": "short" - }, - "sampling_flow_interval": { - "type": "long" - }, - "sampling_flow_spacing": { - "type": "long" - }, - "sampling_interval": { - "type": "long" - }, - "sampling_packet_interval": { - "type": "long" - }, - "sampling_packet_space": { - "type": "long" - }, - "sampling_population": { - "type": "long" - }, - "sampling_probability": { - "type": "double" - }, - "sampling_size": { - "type": "long" - }, - "sampling_time_interval": { - "type": "long" - }, - "sampling_time_space": { - "type": "long" - }, - "section_exported_octets": { - "type": "long" - }, - "section_offset": { - "type": "long" - }, - "selection_sequence_id": { - "type": "long" - }, - "selector_algorithm": { - "type": "long" - }, - "selector_id": { - "type": "long" - }, - "selector_id_total_flows_observed": { - "type": "long" - }, - "selector_id_total_flows_selected": { - "type": "long" - }, - "selector_id_total_pkts_observed": { - "type": "long" - }, - "selector_id_total_pkts_selected": { - "type": "long" - }, - "selector_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_scope": { - "type": "short" - }, - "source_ipv4_address": { - "type": "ip" - }, - "source_ipv4_prefix": { - "type": "ip" - }, - "source_ipv4_prefix_length": { - "type": "short" - }, - "source_ipv6_address": { - "type": "ip" - }, - "source_ipv6_prefix": { - "type": "ip" - }, - "source_ipv6_prefix_length": { - "type": "short" - }, - "source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_transport_port": { - "type": "long" - }, - "source_transport_ports_limit": { - "type": "long" - }, - "src_traffic_index": { - "type": "long" - }, - "sta_ipv4_address": { - "type": "ip" - }, - "sta_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "system_init_time_milliseconds": { - "type": "date" - }, - "tcp_ack_total_count": { - "type": "long" - }, - "tcp_acknowledgement_number": { - "type": "long" - }, - "tcp_control_bits": { - "type": "long" - }, - "tcp_destination_port": { - "type": "long" - }, - "tcp_fin_total_count": { - "type": "long" - }, - "tcp_header_length": { - "type": "short" - }, - "tcp_options": { - "type": "long" - }, - "tcp_psh_total_count": { - "type": "long" - }, - "tcp_rst_total_count": { - "type": "long" - }, - "tcp_sequence_number": { - "type": "long" - }, - "tcp_source_port": { - "type": "long" - }, - "tcp_syn_total_count": { - "type": "long" - }, - "tcp_urg_total_count": { - "type": "long" - }, - "tcp_urgent_pointer": { - "type": "long" - }, - "tcp_window_scale": { - "type": "long" - }, - "tcp_window_size": { - "type": "long" - }, - "template_id": { - "type": "long" - }, - "total_length_ipv4": { - "type": "long" - }, - "transport_octet_delta_count": { - "type": "long" - }, - "transport_packet_delta_count": { - "type": "long" - }, - "tunnel_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "udp_destination_port": { - "type": "long" - }, - "udp_message_length": { - "type": "long" - }, - "udp_source_port": { - "type": "long" - }, - "upper_ci_limit": { - "type": "double" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "value_distribution_method": { - "type": "short" - }, - "virtual_station_interface_id": { - "type": "short" - }, - "virtual_station_interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_station_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_station_uuid": { - "type": "short" - }, - "vlan_id": { - "type": "long" - }, - "vpn_identifier": { - "type": "short" - }, - "vr_fname": { - "ignore_above": 1024, - "type": "keyword" - }, - "wlan_channel_id": { - "type": "short" - }, - "wlan_ssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "wtp_mac_address": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json b/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json deleted file mode 100644 index d824294e9..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json +++ /dev/null @@ -1,850 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "suricata": { - "properties": { - "eve": { - "properties": { - "alert": { - "properties": { - "affected_product": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "capec_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "created_at": { - "type": "date" - }, - "cve": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v2_base": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v2_temporal": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v3_base": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v3_temporal": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwe_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "deployment": { - "ignore_above": 1024, - "type": "keyword" - }, - "former_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "type": "long" - }, - "hostile": { - "ignore_above": 1024, - "type": "keyword" - }, - "infected": { - "ignore_above": 1024, - "type": "keyword" - }, - "malware": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "type": "flattened" - }, - "mitre_tool_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "performance_impact": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocols": { - "ignore_above": 1024, - "type": "keyword" - }, - "rev": { - "type": "long" - }, - "rule_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "sid": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_id": { - "type": "long" - }, - "signature_severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "updated_at": { - "type": "date" - } - } - }, - "app_proto_expected": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_orig": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_tc": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_ts": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns": { - "properties": { - "id": { - "type": "long" - }, - "rcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "rrname": { - "ignore_above": 1024, - "type": "keyword" - }, - "rrtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "tx_id": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "fileinfo": { - "properties": { - "gaps": { - "type": "boolean" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "stored": { - "type": "boolean" - }, - "tx_id": { - "type": "long" - } - } - }, - "flow": { - "properties": { - "age": { - "type": "long" - }, - "alerted": { - "type": "boolean" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "flow_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "http": { - "properties": { - "http_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "redirect": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "icmp_code": { - "type": "long" - }, - "icmp_type": { - "type": "long" - }, - "in_iface": { - "ignore_above": 1024, - "type": "keyword" - }, - "pcap_cnt": { - "type": "long" - }, - "smtp": { - "properties": { - "helo": { - "ignore_above": 1024, - "type": "keyword" - }, - "mail_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcpt_to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ssh": { - "properties": { - "client": { - "properties": { - "proto_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "proto_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "stats": { - "properties": { - "app_layer": { - "properties": { - "flow": { - "properties": { - "dcerpc_tcp": { - "type": "long" - }, - "dcerpc_udp": { - "type": "long" - }, - "dns_tcp": { - "type": "long" - }, - "dns_udp": { - "type": "long" - }, - "failed_tcp": { - "type": "long" - }, - "failed_udp": { - "type": "long" - }, - "ftp": { - "type": "long" - }, - "http": { - "type": "long" - }, - "imap": { - "type": "long" - }, - "msn": { - "type": "long" - }, - "smb": { - "type": "long" - }, - "smtp": { - "type": "long" - }, - "ssh": { - "type": "long" - }, - "tls": { - "type": "long" - } - } - }, - "tx": { - "properties": { - "dcerpc_tcp": { - "type": "long" - }, - "dcerpc_udp": { - "type": "long" - }, - "dns_tcp": { - "type": "long" - }, - "dns_udp": { - "type": "long" - }, - "ftp": { - "type": "long" - }, - "http": { - "type": "long" - }, - "smb": { - "type": "long" - }, - "smtp": { - "type": "long" - }, - "ssh": { - "type": "long" - }, - "tls": { - "type": "long" - } - } - } - } - }, - "capture": { - "properties": { - "kernel_drops": { - "type": "long" - }, - "kernel_ifdrops": { - "type": "long" - }, - "kernel_packets": { - "type": "long" - } - } - }, - "decoder": { - "properties": { - "avg_pkt_size": { - "type": "long" - }, - "bytes": { - "type": "long" - }, - "dce": { - "properties": { - "pkt_too_small": { - "type": "long" - } - } - }, - "erspan": { - "type": "long" - }, - "ethernet": { - "type": "long" - }, - "gre": { - "type": "long" - }, - "icmpv4": { - "type": "long" - }, - "icmpv6": { - "type": "long" - }, - "ieee8021ah": { - "type": "long" - }, - "invalid": { - "type": "long" - }, - "ipraw": { - "properties": { - "invalid_ip_version": { - "type": "long" - } - } - }, - "ipv4": { - "type": "long" - }, - "ipv4_in_ipv6": { - "type": "long" - }, - "ipv6": { - "type": "long" - }, - "ipv6_in_ipv6": { - "type": "long" - }, - "ltnull": { - "properties": { - "pkt_too_small": { - "type": "long" - }, - "unsupported_type": { - "type": "long" - } - } - }, - "max_pkt_size": { - "type": "long" - }, - "mpls": { - "type": "long" - }, - "null": { - "type": "long" - }, - "pkts": { - "type": "long" - }, - "ppp": { - "type": "long" - }, - "pppoe": { - "type": "long" - }, - "raw": { - "type": "long" - }, - "sctp": { - "type": "long" - }, - "sll": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "teredo": { - "type": "long" - }, - "udp": { - "type": "long" - }, - "vlan": { - "type": "long" - }, - "vlan_qinq": { - "type": "long" - } - } - }, - "defrag": { - "properties": { - "ipv4": { - "properties": { - "fragments": { - "type": "long" - }, - "reassembled": { - "type": "long" - }, - "timeouts": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "fragments": { - "type": "long" - }, - "reassembled": { - "type": "long" - }, - "timeouts": { - "type": "long" - } - } - }, - "max_frag_hits": { - "type": "long" - } - } - }, - "detect": { - "properties": { - "alert": { - "type": "long" - } - } - }, - "dns": { - "properties": { - "memcap_global": { - "type": "long" - }, - "memcap_state": { - "type": "long" - }, - "memuse": { - "type": "long" - } - } - }, - "file_store": { - "properties": { - "open_files": { - "type": "long" - } - } - }, - "flow": { - "properties": { - "emerg_mode_entered": { - "type": "long" - }, - "emerg_mode_over": { - "type": "long" - }, - "icmpv4": { - "type": "long" - }, - "icmpv6": { - "type": "long" - }, - "memcap": { - "type": "long" - }, - "memuse": { - "type": "long" - }, - "spare": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "tcp_reuse": { - "type": "long" - }, - "udp": { - "type": "long" - } - } - }, - "flow_mgr": { - "properties": { - "bypassed_pruned": { - "type": "long" - }, - "closed_pruned": { - "type": "long" - }, - "est_pruned": { - "type": "long" - }, - "flows_checked": { - "type": "long" - }, - "flows_notimeout": { - "type": "long" - }, - "flows_removed": { - "type": "long" - }, - "flows_timeout": { - "type": "long" - }, - "flows_timeout_inuse": { - "type": "long" - }, - "new_pruned": { - "type": "long" - }, - "rows_busy": { - "type": "long" - }, - "rows_checked": { - "type": "long" - }, - "rows_empty": { - "type": "long" - }, - "rows_maxlen": { - "type": "long" - }, - "rows_skipped": { - "type": "long" - } - } - }, - "http": { - "properties": { - "memcap": { - "type": "long" - }, - "memuse": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "insert_data_normal_fail": { - "type": "long" - }, - "insert_data_overlap_fail": { - "type": "long" - }, - "insert_list_fail": { - "type": "long" - }, - "invalid_checksum": { - "type": "long" - }, - "memuse": { - "type": "long" - }, - "no_flow": { - "type": "long" - }, - "overlap": { - "type": "long" - }, - "overlap_diff_data": { - "type": "long" - }, - "pseudo": { - "type": "long" - }, - "pseudo_failed": { - "type": "long" - }, - "reassembly_gap": { - "type": "long" - }, - "reassembly_memuse": { - "type": "long" - }, - "rst": { - "type": "long" - }, - "segment_memcap_drop": { - "type": "long" - }, - "sessions": { - "type": "long" - }, - "ssn_memcap_drop": { - "type": "long" - }, - "stream_depth_reached": { - "type": "long" - }, - "syn": { - "type": "long" - }, - "synack": { - "type": "long" - } - } - }, - "uptime": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "ack": { - "type": "boolean" - }, - "fin": { - "type": "boolean" - }, - "psh": { - "type": "boolean" - }, - "rst": { - "type": "boolean" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "syn": { - "type": "boolean" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags_tc": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags_ts": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tls": { - "properties": { - "fingerprint": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuerdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ja3s": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "notafter": { - "type": "date" - }, - "notbefore": { - "type": "date" - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_resumed": { - "type": "boolean" - }, - "sni": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tx_id": { - "type": "long" - } - } - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json b/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json deleted file mode 100644 index 720199001..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json +++ /dev/null @@ -1,2279 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "zeek": { - "properties": { - "capture_loss": { - "properties": { - "acks": { - "type": "long" - }, - "gaps": { - "type": "long" - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "percent_lost": { - "type": "double" - }, - "ts_delta": { - "type": "long" - } - } - }, - "connection": { - "properties": { - "history": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp": { - "properties": { - "code": { - "type": "long" - }, - "type": { - "type": "long" - } - } - }, - "inner_vlan": { - "type": "long" - }, - "local_orig": { - "type": "boolean" - }, - "local_resp": { - "type": "boolean" - }, - "missed_bytes": { - "type": "long" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "type": "long" - } - } - }, - "dce_rpc": { - "properties": { - "endpoint": { - "ignore_above": 1024, - "type": "keyword" - }, - "named_pipe": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "rtt": { - "type": "long" - } - } - }, - "dhcp": { - "properties": { - "address": { - "properties": { - "assigned": { - "type": "ip" - }, - "client": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "requested": { - "type": "ip" - }, - "server": { - "type": "ip" - } - } - }, - "client_fqdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "double" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "properties": { - "circuit": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "subscriber": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "lease_time": { - "type": "long" - }, - "msg": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "type": "ip" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "types": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "software": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dnp3": { - "properties": { - "function": { - "properties": { - "reply": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - } - } - }, - "dns": { - "properties": { - "AA": { - "type": "boolean" - }, - "RA": { - "type": "boolean" - }, - "RD": { - "type": "boolean" - }, - "TC": { - "type": "boolean" - }, - "TTLs": { - "type": "double" - }, - "answers": { - "ignore_above": 1024, - "type": "keyword" - }, - "qclass": { - "type": "long" - }, - "qclass_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "qtype": { - "type": "long" - }, - "qtype_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcode": { - "type": "long" - }, - "rcode_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rejected": { - "type": "boolean" - }, - "rtt": { - "type": "double" - }, - "saw_query": { - "type": "boolean" - }, - "saw_reply": { - "type": "boolean" - }, - "total_answers": { - "type": "long" - }, - "total_replies": { - "type": "long" - }, - "trans_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dpd": { - "properties": { - "analyzer": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_segment": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "files": { - "properties": { - "analyzers": { - "ignore_above": 1024, - "type": "keyword" - }, - "depth": { - "type": "long" - }, - "duration": { - "type": "double" - }, - "entropy": { - "type": "double" - }, - "extracted": { - "ignore_above": 1024, - "type": "keyword" - }, - "extracted_cutoff": { - "type": "boolean" - }, - "extracted_size": { - "type": "long" - }, - "filename": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_orig": { - "type": "boolean" - }, - "local_orig": { - "type": "boolean" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "missing_bytes": { - "type": "long" - }, - "overflow_bytes": { - "type": "long" - }, - "parent_fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "rx_host": { - "type": "ip" - }, - "seen_bytes": { - "type": "long" - }, - "session_ids": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "timedout": { - "type": "boolean" - }, - "total_bytes": { - "type": "long" - }, - "tx_host": { - "type": "ip" - } - } - }, - "ftp": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "capture_password": { - "type": "boolean" - }, - "cmdarg": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "seq": { - "type": "long" - } - } - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "data_channel": { - "properties": { - "originating_host": { - "type": "ip" - }, - "passive": { - "type": "boolean" - }, - "response_host": { - "type": "ip" - }, - "response_port": { - "type": "long" - } - } - }, - "file": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - }, - "last_auth_requested": { - "ignore_above": 1024, - "type": "keyword" - }, - "passive": { - "type": "boolean" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "pending_commands": { - "type": "long" - }, - "reply": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http": { - "properties": { - "captured_password": { - "type": "boolean" - }, - "client_header_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "info_code": { - "type": "long" - }, - "info_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_filenames": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_mime_depth": { - "type": "long" - }, - "orig_mime_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxied": { - "ignore_above": 1024, - "type": "keyword" - }, - "range_request": { - "type": "boolean" - }, - "resp_filenames": { - "ignore_above": 1024, - "type": "keyword" - }, - "resp_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "resp_mime_depth": { - "type": "long" - }, - "resp_mime_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_header_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "trans_depth": { - "type": "long" - } - } - }, - "intel": { - "properties": { - "file_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "matched": { - "ignore_above": 1024, - "type": "keyword" - }, - "seen": { - "properties": { - "conn": { - "ignore_above": 1024, - "type": "keyword" - }, - "f": { - "type": "object" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "where": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sources": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "irc": { - "properties": { - "addl": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "dcc": { - "properties": { - "file": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "nick": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kerberos": { - "properties": { - "cert": { - "properties": { - "client": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "forwardable": { - "type": "boolean" - }, - "renewable": { - "type": "boolean" - }, - "request_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "ignore_above": 1024, - "type": "keyword" - }, - "success": { - "type": "boolean" - }, - "ticket": { - "properties": { - "auth": { - "ignore_above": 1024, - "type": "keyword" - }, - "new": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "valid": { - "properties": { - "days": { - "type": "long" - }, - "from": { - "type": "date" - }, - "until": { - "type": "date" - } - } - } - } - }, - "modbus": { - "properties": { - "exception": { - "ignore_above": 1024, - "type": "keyword" - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - }, - "track_address": { - "type": "long" - } - } - }, - "mysql": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "response": { - "ignore_above": 1024, - "type": "keyword" - }, - "rows": { - "type": "long" - }, - "success": { - "type": "boolean" - } - } - }, - "notice": { - "properties": { - "actions": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped": { - "type": "boolean" - }, - "email_body_sections": { - "norms": false, - "type": "text" - }, - "email_delay_tokens": { - "ignore_above": 1024, - "type": "keyword" - }, - "false": { - "type": "long" - }, - "ffile": { - "properties": { - "total_bytes": { - "type": "long" - } - } - }, - "file": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_orig": { - "type": "boolean" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "missing_bytes": { - "type": "long" - }, - "overflow_bytes": { - "type": "long" - }, - "parent_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "seen_bytes": { - "type": "long" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "note": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_descr": { - "norms": false, - "type": "text" - }, - "peer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub": { - "ignore_above": 1024, - "type": "keyword" - }, - "suppress_for": { - "type": "double" - } - } - }, - "ntlm": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "properties": { - "name": { - "properties": { - "dns": { - "ignore_above": 1024, - "type": "keyword" - }, - "netbios": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "success": { - "type": "boolean" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ntp": { - "properties": { - "mode": { - "type": "long" - }, - "num_exts": { - "type": "long" - }, - "org_time": { - "type": "date" - }, - "poll": { - "type": "double" - }, - "precision": { - "type": "double" - }, - "rec_time": { - "type": "date" - }, - "ref_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ref_time": { - "type": "date" - }, - "root_delay": { - "type": "double" - }, - "root_disp": { - "type": "double" - }, - "stratum": { - "type": "long" - }, - "version": { - "type": "long" - }, - "xmt_time": { - "type": "date" - } - } - }, - "ocsp": { - "properties": { - "file_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "revoke": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "time": { - "type": "date" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "update": { - "properties": { - "next": { - "type": "date" - }, - "this": { - "type": "date" - } - } - } - } - }, - "pe": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_time": { - "type": "date" - }, - "has_cert_table": { - "type": "boolean" - }, - "has_debug_data": { - "type": "boolean" - }, - "has_export_table": { - "type": "boolean" - }, - "has_import_table": { - "type": "boolean" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_64bit": { - "type": "boolean" - }, - "is_exe": { - "type": "boolean" - }, - "machine": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "ignore_above": 1024, - "type": "keyword" - }, - "section_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "subsystem": { - "ignore_above": 1024, - "type": "keyword" - }, - "uses_aslr": { - "type": "boolean" - }, - "uses_code_integrity": { - "type": "boolean" - }, - "uses_dep": { - "type": "boolean" - }, - "uses_seh": { - "type": "boolean" - } - } - }, - "radius": { - "properties": { - "connect_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "framed_addr": { - "type": "ip" - }, - "logged": { - "type": "boolean" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "reply_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rdp": { - "properties": { - "cert": { - "properties": { - "count": { - "type": "long" - }, - "permanent": { - "type": "boolean" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "desktop": { - "properties": { - "color_depth": { - "ignore_above": 1024, - "type": "keyword" - }, - "height": { - "type": "long" - }, - "width": { - "type": "long" - } - } - }, - "done": { - "type": "boolean" - }, - "encryption": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "keyboard_layout": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl": { - "type": "boolean" - } - } - }, - "rfb": { - "properties": { - "auth": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "success": { - "type": "boolean" - } - } - }, - "desktop_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "height": { - "type": "long" - }, - "share_flag": { - "type": "boolean" - }, - "version": { - "properties": { - "client": { - "properties": { - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "width": { - "type": "long" - } - } - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature": { - "properties": { - "event_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_count": { - "type": "long" - }, - "note": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig_count": { - "type": "long" - }, - "sig_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sip": { - "properties": { - "call_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "date": { - "ignore_above": 1024, - "type": "keyword" - }, - "reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "properties": { - "body_length": { - "type": "long" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body_length": { - "type": "long" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sequence": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "status": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_depth": { - "type": "long" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "warning": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_cmd": { - "properties": { - "argument": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "rx": { - "type": "ip" - }, - "tx": { - "type": "ip" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rtt": { - "type": "double" - }, - "smb1_offered_dialects": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb2_offered_dialects": { - "type": "long" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_command": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_files": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "fid": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "previous_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "times": { - "properties": { - "accessed": { - "type": "date" - }, - "changed": { - "type": "date" - }, - "created": { - "type": "date" - }, - "modified": { - "type": "date" - } - } - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_mapping": { - "properties": { - "native_file_system": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "ignore_above": 1024, - "type": "keyword" - }, - "share_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smtp": { - "properties": { - "cc": { - "ignore_above": 1024, - "type": "keyword" - }, - "date": { - "type": "date" - }, - "first_received": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "has_client_activity": { - "type": "boolean" - }, - "helo": { - "ignore_above": 1024, - "type": "keyword" - }, - "in_reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_webmail": { - "type": "boolean" - }, - "last_reply": { - "ignore_above": 1024, - "type": "keyword" - }, - "mail_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "type": "ip" - }, - "process_received_from": { - "type": "boolean" - }, - "rcpt_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "second_received": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "tls": { - "type": "boolean" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_depth": { - "type": "long" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "x_originating_ip": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "snmp": { - "properties": { - "community": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_string": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "double" - }, - "get": { - "properties": { - "bulk_requests": { - "type": "long" - }, - "requests": { - "type": "long" - }, - "responses": { - "type": "long" - } - } - }, - "set": { - "properties": { - "requests": { - "type": "long" - } - } - }, - "up_since": { - "type": "date" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "socks": { - "properties": { - "bound": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - } - } - }, - "capture_password": { - "type": "boolean" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - } - } - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - } - } - }, - "ssh": { - "properties": { - "algorithm": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "compression": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "key_exchange": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "auth": { - "properties": { - "attempts": { - "type": "long" - }, - "success": { - "type": "boolean" - } - } - }, - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - } - } - }, - "ssl": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "cert_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_chain_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "last_alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "cert_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_chain_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "validation": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "stats": { - "properties": { - "bytes": { - "properties": { - "received": { - "type": "long" - } - } - }, - "connections": { - "properties": { - "icmp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "udp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - } - } - }, - "dns_requests": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "events": { - "properties": { - "processed": { - "type": "long" - }, - "queued": { - "type": "long" - } - } - }, - "files": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "memory": { - "type": "long" - }, - "packets": { - "properties": { - "dropped": { - "type": "long" - }, - "processed": { - "type": "long" - }, - "received": { - "type": "long" - } - } - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "reassembly_size": { - "properties": { - "file": { - "type": "long" - }, - "frag": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "unknown": { - "type": "long" - } - } - }, - "timers": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "timestamp_lag": { - "type": "long" - } - } - }, - "syslog": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tunnel": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "weird": { - "properties": { - "additional_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice": { - "type": "boolean" - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "basic_constraints": { - "properties": { - "certificate_authority": { - "type": "boolean" - }, - "path_length": { - "type": "long" - } - } - }, - "certificate": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "exponent": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "key": { - "properties": { - "algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "length": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "valid": { - "properties": { - "from": { - "type": "date" - }, - "until": { - "type": "date" - } - } - }, - "version": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_cert": { - "type": "boolean" - }, - "san": { - "properties": { - "dns": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "other_fields": { - "type": "boolean" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json deleted file mode 100644 index a8ed3889d..000000000 --- a/salt/elasticsearch/templates/component/ecs/snyk.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "snyk": { - "properties": { - "audit": { - "properties": { - "content": { - "type": "flattened" - }, - "org_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "projects": { - "type": "flattened" - }, - "related": { - "properties": { - "projects": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerabilities": { - "properties": { - "credit": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss3": { - "ignore_above": 1024, - "type": "keyword" - }, - "disclosure_time": { - "type": "date" - }, - "exploit_maturity": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifiers": { - "properties": { - "alternative": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwe": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "introduced_date": { - "type": "date" - }, - "is_fixed": { - "type": "boolean" - }, - "is_ignored": { - "type": "boolean" - }, - "is_patchable": { - "type": "boolean" - }, - "is_patched": { - "type": "boolean" - }, - "is_pinnable": { - "type": "boolean" - }, - "is_upgradable": { - "type": "boolean" - }, - "jira_issue_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_severity": { - "type": "long" - }, - "package": { - "ignore_above": 1024, - "type": "keyword" - }, - "package_manager": { - "ignore_above": 1024, - "type": "keyword" - }, - "patches": { - "type": "flattened" - }, - "priority_score": { - "type": "long" - }, - "publication_time": { - "type": "date" - }, - "reachability": { - "ignore_above": 1024, - "type": "keyword" - }, - "semver": { - "type": "flattened" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "unique_severities_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } -} From f9a50d33c3dc3789d052ddfae7e534dc23309e2f Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 13:17:23 +0000 Subject: [PATCH 35/40] Add new templates --- .../component/ecs/elasticsearch.json | 25 + .../templates/component/ecs/kibana.json | 75 + .../templates/component/ecs/logstash.json | 99 + .../templates/component/ecs/netflow.json | 1423 ++++++++++ .../templates/component/ecs/suricata.json | 850 ++++++ .../templates/component/ecs/zeek.json | 2279 +++++++++++++++++ 6 files changed, 4751 insertions(+) create mode 100644 salt/elasticsearch/templates/component/ecs/elasticsearch.json create mode 100644 salt/elasticsearch/templates/component/ecs/kibana.json create mode 100644 salt/elasticsearch/templates/component/ecs/logstash.json create mode 100644 salt/elasticsearch/templates/component/ecs/netflow.json create mode 100644 salt/elasticsearch/templates/component/ecs/suricata.json create mode 100644 salt/elasticsearch/templates/component/ecs/zeek.json diff --git a/salt/elasticsearch/templates/component/ecs/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/elasticsearch.json new file mode 100644 index 000000000..f409ed95a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/elasticsearch.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/kibana.json b/salt/elasticsearch/templates/component/ecs/kibana.json new file mode 100644 index 000000000..d1ea67de7 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/kibana.json @@ -0,0 +1,75 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "kibana": { + "properties": { + "add_to_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delete_from_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "meta": { + "type": "object" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lookup_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_object": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "space_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/logstash.json b/salt/elasticsearch/templates/component/ecs/logstash.json new file mode 100644 index 000000000..ecfb17551 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/logstash.json @@ -0,0 +1,99 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "logstash": { + "properties": { + "log": { + "properties": { + "log_event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "event": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params_object": { + "type": "object" + }, + "plugin_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "took_in_millis": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/netflow.json b/salt/elasticsearch/templates/component/ecs/netflow.json new file mode 100644 index 000000000..10f34c3d4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/netflow.json @@ -0,0 +1,1423 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "netflow": { + "properties": { + "absolute_error": { + "type": "double" + }, + "address_pool_high_threshold": { + "type": "long" + }, + "address_pool_low_threshold": { + "type": "long" + }, + "address_port_mapping_high_threshold": { + "type": "long" + }, + "address_port_mapping_low_threshold": { + "type": "long" + }, + "address_port_mapping_per_user_high_threshold": { + "type": "long" + }, + "anonymization_flags": { + "type": "long" + }, + "anonymization_technique": { + "type": "long" + }, + "application_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_id": { + "type": "short" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bgp_destination_as_number": { + "type": "long" + }, + "bgp_next_adjacent_as_number": { + "type": "long" + }, + "bgp_next_hop_ipv4_address": { + "type": "ip" + }, + "bgp_next_hop_ipv6_address": { + "type": "ip" + }, + "bgp_prev_adjacent_as_number": { + "type": "long" + }, + "bgp_source_as_number": { + "type": "long" + }, + "bgp_validity_state": { + "type": "short" + }, + "biflow_direction": { + "type": "short" + }, + "class_id": { + "type": "long" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_engine_id": { + "type": "short" + }, + "collection_time_milliseconds": { + "type": "date" + }, + "collector_certificate": { + "type": "short" + }, + "collector_ipv4_address": { + "type": "ip" + }, + "collector_ipv6_address": { + "type": "ip" + }, + "collector_transport_port": { + "type": "long" + }, + "common_properties_id": { + "type": "long" + }, + "confidence_level": { + "type": "double" + }, + "connection_sum_duration_seconds": { + "type": "long" + }, + "connection_transaction_id": { + "type": "long" + }, + "data_link_frame_section": { + "type": "short" + }, + "data_link_frame_size": { + "type": "long" + }, + "data_link_frame_type": { + "type": "long" + }, + "data_records_reliability": { + "type": "boolean" + }, + "delta_flow_count": { + "type": "long" + }, + "destination_ipv4_address": { + "type": "ip" + }, + "destination_ipv4_prefix": { + "type": "ip" + }, + "destination_ipv4_prefix_length": { + "type": "short" + }, + "destination_ipv6_address": { + "type": "ip" + }, + "destination_ipv6_prefix": { + "type": "ip" + }, + "destination_ipv6_prefix_length": { + "type": "short" + }, + "destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_transport_port": { + "type": "long" + }, + "digest_hash_value": { + "type": "long" + }, + "distinct_count_of_destination_ip_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv4_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv6_address": { + "type": "long" + }, + "distinct_count_of_source_ip_address": { + "type": "long" + }, + "distinct_count_of_source_ipv4_address": { + "type": "long" + }, + "distinct_count_of_source_ipv6_address": { + "type": "long" + }, + "dot1q_customer_dei": { + "type": "boolean" + }, + "dot1q_customer_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_priority": { + "type": "short" + }, + "dot1q_customer_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_vlan_id": { + "type": "long" + }, + "dot1q_dei": { + "type": "boolean" + }, + "dot1q_priority": { + "type": "short" + }, + "dot1q_service_instance_id": { + "type": "long" + }, + "dot1q_service_instance_priority": { + "type": "short" + }, + "dot1q_service_instance_tag": { + "type": "short" + }, + "dot1q_vlan_id": { + "type": "long" + }, + "dropped_layer2_octet_delta_count": { + "type": "long" + }, + "dropped_layer2_octet_total_count": { + "type": "long" + }, + "dropped_octet_delta_count": { + "type": "long" + }, + "dropped_octet_total_count": { + "type": "long" + }, + "dropped_packet_delta_count": { + "type": "long" + }, + "dropped_packet_total_count": { + "type": "long" + }, + "dst_traffic_index": { + "type": "long" + }, + "egress_broadcast_packet_total_count": { + "type": "long" + }, + "egress_interface": { + "type": "long" + }, + "egress_interface_type": { + "type": "long" + }, + "egress_physical_interface": { + "type": "long" + }, + "egress_unicast_packet_total_count": { + "type": "long" + }, + "egress_vrfid": { + "type": "long" + }, + "encrypted_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine_id": { + "type": "short" + }, + "engine_type": { + "type": "short" + }, + "ethernet_header_length": { + "type": "short" + }, + "ethernet_payload_length": { + "type": "long" + }, + "ethernet_total_length": { + "type": "long" + }, + "ethernet_type": { + "type": "long" + }, + "export_interface": { + "type": "long" + }, + "export_protocol_version": { + "type": "short" + }, + "export_sctp_stream_id": { + "type": "long" + }, + "export_transport_protocol": { + "type": "short" + }, + "exported_flow_record_total_count": { + "type": "long" + }, + "exported_message_total_count": { + "type": "long" + }, + "exported_octet_total_count": { + "type": "long" + }, + "exporter": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_id": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "uptime_millis": { + "type": "long" + }, + "version": { + "type": "long" + } + } + }, + "exporter_certificate": { + "type": "short" + }, + "exporter_ipv4_address": { + "type": "ip" + }, + "exporter_ipv6_address": { + "type": "ip" + }, + "exporter_transport_port": { + "type": "long" + }, + "exporting_process_id": { + "type": "long" + }, + "external_address_realm": { + "type": "short" + }, + "firewall_event": { + "type": "short" + }, + "flags_and_sampler_id": { + "type": "long" + }, + "flow_active_timeout": { + "type": "long" + }, + "flow_direction": { + "type": "short" + }, + "flow_duration_microseconds": { + "type": "long" + }, + "flow_duration_milliseconds": { + "type": "long" + }, + "flow_end_delta_microseconds": { + "type": "long" + }, + "flow_end_microseconds": { + "type": "date" + }, + "flow_end_milliseconds": { + "type": "date" + }, + "flow_end_nanoseconds": { + "type": "date" + }, + "flow_end_reason": { + "type": "short" + }, + "flow_end_seconds": { + "type": "date" + }, + "flow_end_sys_up_time": { + "type": "long" + }, + "flow_id": { + "type": "long" + }, + "flow_idle_timeout": { + "type": "long" + }, + "flow_key_indicator": { + "type": "long" + }, + "flow_label_ipv6": { + "type": "long" + }, + "flow_sampling_time_interval": { + "type": "long" + }, + "flow_sampling_time_spacing": { + "type": "long" + }, + "flow_selected_flow_delta_count": { + "type": "long" + }, + "flow_selected_octet_delta_count": { + "type": "long" + }, + "flow_selected_packet_delta_count": { + "type": "long" + }, + "flow_selector_algorithm": { + "type": "long" + }, + "flow_start_delta_microseconds": { + "type": "long" + }, + "flow_start_microseconds": { + "type": "date" + }, + "flow_start_milliseconds": { + "type": "date" + }, + "flow_start_nanoseconds": { + "type": "date" + }, + "flow_start_seconds": { + "type": "date" + }, + "flow_start_sys_up_time": { + "type": "long" + }, + "forwarding_status": { + "type": "short" + }, + "fragment_flags": { + "type": "short" + }, + "fragment_identification": { + "type": "long" + }, + "fragment_offset": { + "type": "long" + }, + "global_address_mapping_high_threshold": { + "type": "long" + }, + "gre_key": { + "type": "long" + }, + "hash_digest_output": { + "type": "boolean" + }, + "hash_flow_domain": { + "type": "long" + }, + "hash_initialiser_value": { + "type": "long" + }, + "hash_ip_payload_offset": { + "type": "long" + }, + "hash_ip_payload_size": { + "type": "long" + }, + "hash_output_range_max": { + "type": "long" + }, + "hash_output_range_min": { + "type": "long" + }, + "hash_selected_range_max": { + "type": "long" + }, + "hash_selected_range_min": { + "type": "long" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_message_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status_code": { + "type": "long" + }, + "http_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code_ipv4": { + "type": "short" + }, + "icmp_code_ipv6": { + "type": "short" + }, + "icmp_type_code_ipv4": { + "type": "long" + }, + "icmp_type_code_ipv6": { + "type": "long" + }, + "icmp_type_ipv4": { + "type": "short" + }, + "icmp_type_ipv6": { + "type": "short" + }, + "igmp_type": { + "type": "short" + }, + "ignored_data_record_total_count": { + "type": "long" + }, + "ignored_layer2_frame_total_count": { + "type": "long" + }, + "ignored_layer2_octet_total_count": { + "type": "long" + }, + "ignored_octet_total_count": { + "type": "long" + }, + "ignored_packet_total_count": { + "type": "long" + }, + "information_element_data_type": { + "type": "short" + }, + "information_element_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_id": { + "type": "long" + }, + "information_element_index": { + "type": "long" + }, + "information_element_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_range_begin": { + "type": "long" + }, + "information_element_range_end": { + "type": "long" + }, + "information_element_semantics": { + "type": "short" + }, + "information_element_units": { + "type": "long" + }, + "ingress_broadcast_packet_total_count": { + "type": "long" + }, + "ingress_interface": { + "type": "long" + }, + "ingress_interface_type": { + "type": "long" + }, + "ingress_multicast_packet_total_count": { + "type": "long" + }, + "ingress_physical_interface": { + "type": "long" + }, + "ingress_unicast_packet_total_count": { + "type": "long" + }, + "ingress_vrfid": { + "type": "long" + }, + "initiator_octets": { + "type": "long" + }, + "initiator_packets": { + "type": "long" + }, + "interface_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "intermediate_process_id": { + "type": "long" + }, + "internal_address_realm": { + "type": "short" + }, + "ip_class_of_service": { + "type": "short" + }, + "ip_diff_serv_code_point": { + "type": "short" + }, + "ip_header_length": { + "type": "short" + }, + "ip_header_packet_section": { + "type": "short" + }, + "ip_next_hop_ipv4_address": { + "type": "ip" + }, + "ip_next_hop_ipv6_address": { + "type": "ip" + }, + "ip_payload_length": { + "type": "long" + }, + "ip_payload_packet_section": { + "type": "short" + }, + "ip_precedence": { + "type": "short" + }, + "ip_sec_spi": { + "type": "long" + }, + "ip_total_length": { + "type": "long" + }, + "ip_ttl": { + "type": "short" + }, + "ip_version": { + "type": "short" + }, + "ipv4_ihl": { + "type": "short" + }, + "ipv4_options": { + "type": "long" + }, + "ipv4_router_sc": { + "type": "ip" + }, + "ipv6_extension_headers": { + "type": "long" + }, + "is_multicast": { + "type": "short" + }, + "layer2_frame_delta_count": { + "type": "long" + }, + "layer2_frame_total_count": { + "type": "long" + }, + "layer2_octet_delta_count": { + "type": "long" + }, + "layer2_octet_delta_sum_of_squares": { + "type": "long" + }, + "layer2_octet_total_count": { + "type": "long" + }, + "layer2_octet_total_sum_of_squares": { + "type": "long" + }, + "layer2_segment_id": { + "type": "long" + }, + "layer2packet_section_data": { + "type": "short" + }, + "layer2packet_section_offset": { + "type": "long" + }, + "layer2packet_section_size": { + "type": "long" + }, + "line_card_id": { + "type": "long" + }, + "lower_ci_limit": { + "type": "double" + }, + "max_bib_entries": { + "type": "long" + }, + "max_entries_per_user": { + "type": "long" + }, + "max_export_seconds": { + "type": "date" + }, + "max_flow_end_microseconds": { + "type": "date" + }, + "max_flow_end_milliseconds": { + "type": "date" + }, + "max_flow_end_nanoseconds": { + "type": "date" + }, + "max_flow_end_seconds": { + "type": "date" + }, + "max_fragments_pending_reassembly": { + "type": "long" + }, + "max_session_entries": { + "type": "long" + }, + "max_subscribers": { + "type": "long" + }, + "maximum_ip_total_length": { + "type": "long" + }, + "maximum_layer2_total_length": { + "type": "long" + }, + "maximum_ttl": { + "type": "short" + }, + "message_md5_checksum": { + "type": "short" + }, + "message_scope": { + "type": "short" + }, + "metering_process_id": { + "type": "long" + }, + "metro_evc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "metro_evc_type": { + "type": "short" + }, + "mib_capture_time_semantics": { + "type": "short" + }, + "mib_context_engine_id": { + "type": "short" + }, + "mib_context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_index_indicator": { + "type": "long" + }, + "mib_module_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_identifier": { + "type": "short" + }, + "mib_object_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_syntax": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_value_bits": { + "type": "short" + }, + "mib_object_value_counter": { + "type": "long" + }, + "mib_object_value_gauge": { + "type": "long" + }, + "mib_object_value_integer": { + "type": "long" + }, + "mib_object_value_ip_address": { + "type": "ip" + }, + "mib_object_value_octet_string": { + "type": "short" + }, + "mib_object_value_oid": { + "type": "short" + }, + "mib_object_value_time_ticks": { + "type": "long" + }, + "mib_object_value_unsigned": { + "type": "long" + }, + "mib_sub_identifier": { + "type": "long" + }, + "min_export_seconds": { + "type": "date" + }, + "min_flow_start_microseconds": { + "type": "date" + }, + "min_flow_start_milliseconds": { + "type": "date" + }, + "min_flow_start_nanoseconds": { + "type": "date" + }, + "min_flow_start_seconds": { + "type": "date" + }, + "minimum_ip_total_length": { + "type": "long" + }, + "minimum_layer2_total_length": { + "type": "long" + }, + "minimum_ttl": { + "type": "short" + }, + "mobile_imsi": { + "ignore_above": 1024, + "type": "keyword" + }, + "mobile_msisdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitoring_interval_end_milli_seconds": { + "type": "date" + }, + "monitoring_interval_start_milli_seconds": { + "type": "date" + }, + "mpls_label_stack_depth": { + "type": "long" + }, + "mpls_label_stack_length": { + "type": "long" + }, + "mpls_label_stack_section": { + "type": "short" + }, + "mpls_label_stack_section10": { + "type": "short" + }, + "mpls_label_stack_section2": { + "type": "short" + }, + "mpls_label_stack_section3": { + "type": "short" + }, + "mpls_label_stack_section4": { + "type": "short" + }, + "mpls_label_stack_section5": { + "type": "short" + }, + "mpls_label_stack_section6": { + "type": "short" + }, + "mpls_label_stack_section7": { + "type": "short" + }, + "mpls_label_stack_section8": { + "type": "short" + }, + "mpls_label_stack_section9": { + "type": "short" + }, + "mpls_payload_length": { + "type": "long" + }, + "mpls_payload_packet_section": { + "type": "short" + }, + "mpls_top_label_exp": { + "type": "short" + }, + "mpls_top_label_ipv4_address": { + "type": "ip" + }, + "mpls_top_label_ipv6_address": { + "type": "ip" + }, + "mpls_top_label_prefix_length": { + "type": "short" + }, + "mpls_top_label_stack_section": { + "type": "short" + }, + "mpls_top_label_ttl": { + "type": "short" + }, + "mpls_top_label_type": { + "type": "short" + }, + "mpls_vpn_route_distinguisher": { + "type": "short" + }, + "multicast_replication_factor": { + "type": "long" + }, + "nat_event": { + "type": "short" + }, + "nat_instance_id": { + "type": "long" + }, + "nat_originating_address_realm": { + "type": "short" + }, + "nat_pool_id": { + "type": "long" + }, + "nat_pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_quota_exceeded_event": { + "type": "long" + }, + "nat_threshold_event": { + "type": "long" + }, + "nat_type": { + "type": "short" + }, + "new_connection_delta_count": { + "type": "long" + }, + "next_header_ipv6": { + "type": "short" + }, + "not_sent_flow_total_count": { + "type": "long" + }, + "not_sent_layer2_octet_total_count": { + "type": "long" + }, + "not_sent_octet_total_count": { + "type": "long" + }, + "not_sent_packet_total_count": { + "type": "long" + }, + "observation_domain_id": { + "type": "long" + }, + "observation_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observation_point_id": { + "type": "long" + }, + "observation_point_type": { + "type": "short" + }, + "observation_time_microseconds": { + "type": "date" + }, + "observation_time_milliseconds": { + "type": "date" + }, + "observation_time_nanoseconds": { + "type": "date" + }, + "observation_time_seconds": { + "type": "date" + }, + "observed_flow_total_count": { + "type": "long" + }, + "octet_delta_count": { + "type": "long" + }, + "octet_delta_sum_of_squares": { + "type": "long" + }, + "octet_total_count": { + "type": "long" + }, + "octet_total_sum_of_squares": { + "type": "long" + }, + "opaque_octets": { + "type": "short" + }, + "original_exporter_ipv4_address": { + "type": "ip" + }, + "original_exporter_ipv6_address": { + "type": "ip" + }, + "original_flows_completed": { + "type": "long" + }, + "original_flows_initiated": { + "type": "long" + }, + "original_flows_present": { + "type": "long" + }, + "original_observation_domain_id": { + "type": "long" + }, + "p2p_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_delta_count": { + "type": "long" + }, + "packet_total_count": { + "type": "long" + }, + "padding_octets": { + "type": "short" + }, + "payload_length_ipv6": { + "type": "long" + }, + "port_id": { + "type": "long" + }, + "port_range_end": { + "type": "long" + }, + "port_range_num_ports": { + "type": "long" + }, + "port_range_start": { + "type": "long" + }, + "port_range_step_size": { + "type": "long" + }, + "post_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_dot1q_customer_vlan_id": { + "type": "long" + }, + "post_dot1q_vlan_id": { + "type": "long" + }, + "post_ip_class_of_service": { + "type": "short" + }, + "post_ip_diff_serv_code_point": { + "type": "short" + }, + "post_ip_precedence": { + "type": "short" + }, + "post_layer2_octet_delta_count": { + "type": "long" + }, + "post_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_layer2_octet_delta_count": { + "type": "long" + }, + "post_mcast_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_octet_delta_count": { + "type": "long" + }, + "post_mcast_octet_total_count": { + "type": "long" + }, + "post_mcast_packet_delta_count": { + "type": "long" + }, + "post_mcast_packet_total_count": { + "type": "long" + }, + "post_mpls_top_label_exp": { + "type": "short" + }, + "post_napt_destination_transport_port": { + "type": "long" + }, + "post_napt_source_transport_port": { + "type": "long" + }, + "post_nat_destination_ipv4_address": { + "type": "ip" + }, + "post_nat_destination_ipv6_address": { + "type": "ip" + }, + "post_nat_source_ipv4_address": { + "type": "ip" + }, + "post_nat_source_ipv6_address": { + "type": "ip" + }, + "post_octet_delta_count": { + "type": "long" + }, + "post_octet_total_count": { + "type": "long" + }, + "post_packet_delta_count": { + "type": "long" + }, + "post_packet_total_count": { + "type": "long" + }, + "post_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_vlan_id": { + "type": "long" + }, + "private_enterprise_number": { + "type": "long" + }, + "protocol_identifier": { + "type": "short" + }, + "pseudo_wire_control_word": { + "type": "long" + }, + "pseudo_wire_destination_ipv4_address": { + "type": "ip" + }, + "pseudo_wire_id": { + "type": "long" + }, + "pseudo_wire_type": { + "type": "long" + }, + "relative_error": { + "type": "double" + }, + "responder_octets": { + "type": "long" + }, + "responder_packets": { + "type": "long" + }, + "rfc3550_jitter_microseconds": { + "type": "long" + }, + "rfc3550_jitter_milliseconds": { + "type": "long" + }, + "rfc3550_jitter_nanoseconds": { + "type": "long" + }, + "rtp_sequence_number": { + "type": "long" + }, + "sampler_id": { + "type": "short" + }, + "sampler_mode": { + "type": "short" + }, + "sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sampler_random_interval": { + "type": "long" + }, + "sampling_algorithm": { + "type": "short" + }, + "sampling_flow_interval": { + "type": "long" + }, + "sampling_flow_spacing": { + "type": "long" + }, + "sampling_interval": { + "type": "long" + }, + "sampling_packet_interval": { + "type": "long" + }, + "sampling_packet_space": { + "type": "long" + }, + "sampling_population": { + "type": "long" + }, + "sampling_probability": { + "type": "double" + }, + "sampling_size": { + "type": "long" + }, + "sampling_time_interval": { + "type": "long" + }, + "sampling_time_space": { + "type": "long" + }, + "section_exported_octets": { + "type": "long" + }, + "section_offset": { + "type": "long" + }, + "selection_sequence_id": { + "type": "long" + }, + "selector_algorithm": { + "type": "long" + }, + "selector_id": { + "type": "long" + }, + "selector_id_total_flows_observed": { + "type": "long" + }, + "selector_id_total_flows_selected": { + "type": "long" + }, + "selector_id_total_pkts_observed": { + "type": "long" + }, + "selector_id_total_pkts_selected": { + "type": "long" + }, + "selector_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_scope": { + "type": "short" + }, + "source_ipv4_address": { + "type": "ip" + }, + "source_ipv4_prefix": { + "type": "ip" + }, + "source_ipv4_prefix_length": { + "type": "short" + }, + "source_ipv6_address": { + "type": "ip" + }, + "source_ipv6_prefix": { + "type": "ip" + }, + "source_ipv6_prefix_length": { + "type": "short" + }, + "source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_transport_port": { + "type": "long" + }, + "source_transport_ports_limit": { + "type": "long" + }, + "src_traffic_index": { + "type": "long" + }, + "sta_ipv4_address": { + "type": "ip" + }, + "sta_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_init_time_milliseconds": { + "type": "date" + }, + "tcp_ack_total_count": { + "type": "long" + }, + "tcp_acknowledgement_number": { + "type": "long" + }, + "tcp_control_bits": { + "type": "long" + }, + "tcp_destination_port": { + "type": "long" + }, + "tcp_fin_total_count": { + "type": "long" + }, + "tcp_header_length": { + "type": "short" + }, + "tcp_options": { + "type": "long" + }, + "tcp_psh_total_count": { + "type": "long" + }, + "tcp_rst_total_count": { + "type": "long" + }, + "tcp_sequence_number": { + "type": "long" + }, + "tcp_source_port": { + "type": "long" + }, + "tcp_syn_total_count": { + "type": "long" + }, + "tcp_urg_total_count": { + "type": "long" + }, + "tcp_urgent_pointer": { + "type": "long" + }, + "tcp_window_scale": { + "type": "long" + }, + "tcp_window_size": { + "type": "long" + }, + "template_id": { + "type": "long" + }, + "total_length_ipv4": { + "type": "long" + }, + "transport_octet_delta_count": { + "type": "long" + }, + "transport_packet_delta_count": { + "type": "long" + }, + "tunnel_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "udp_destination_port": { + "type": "long" + }, + "udp_message_length": { + "type": "long" + }, + "udp_source_port": { + "type": "long" + }, + "upper_ci_limit": { + "type": "double" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "value_distribution_method": { + "type": "short" + }, + "virtual_station_interface_id": { + "type": "short" + }, + "virtual_station_interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_uuid": { + "type": "short" + }, + "vlan_id": { + "type": "long" + }, + "vpn_identifier": { + "type": "short" + }, + "vr_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel_id": { + "type": "short" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "wtp_mac_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/suricata.json b/salt/elasticsearch/templates/component/ecs/suricata.json new file mode 100644 index 000000000..d824294e9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/suricata.json @@ -0,0 +1,850 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "suricata": { + "properties": { + "eve": { + "properties": { + "alert": { + "properties": { + "affected_product": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "capec_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "deployment": { + "ignore_above": 1024, + "type": "keyword" + }, + "former_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "type": "long" + }, + "hostile": { + "ignore_above": 1024, + "type": "keyword" + }, + "infected": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "flattened" + }, + "mitre_tool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocols": { + "ignore_above": 1024, + "type": "keyword" + }, + "rev": { + "type": "long" + }, + "rule_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "type": "long" + }, + "signature_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + } + } + }, + "app_proto_expected": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_ts": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns": { + "properties": { + "id": { + "type": "long" + }, + "rcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrname": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "tx_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileinfo": { + "properties": { + "gaps": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stored": { + "type": "boolean" + }, + "tx_id": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "age": { + "type": "long" + }, + "alerted": { + "type": "boolean" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "in_iface": { + "ignore_above": 1024, + "type": "keyword" + }, + "pcap_cnt": { + "type": "long" + }, + "smtp": { + "properties": { + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ssh": { + "properties": { + "client": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stats": { + "properties": { + "app_layer": { + "properties": { + "flow": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "failed_tcp": { + "type": "long" + }, + "failed_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "imap": { + "type": "long" + }, + "msn": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + }, + "tx": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + } + } + }, + "capture": { + "properties": { + "kernel_drops": { + "type": "long" + }, + "kernel_ifdrops": { + "type": "long" + }, + "kernel_packets": { + "type": "long" + } + } + }, + "decoder": { + "properties": { + "avg_pkt_size": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "dce": { + "properties": { + "pkt_too_small": { + "type": "long" + } + } + }, + "erspan": { + "type": "long" + }, + "ethernet": { + "type": "long" + }, + "gre": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "ieee8021ah": { + "type": "long" + }, + "invalid": { + "type": "long" + }, + "ipraw": { + "properties": { + "invalid_ip_version": { + "type": "long" + } + } + }, + "ipv4": { + "type": "long" + }, + "ipv4_in_ipv6": { + "type": "long" + }, + "ipv6": { + "type": "long" + }, + "ipv6_in_ipv6": { + "type": "long" + }, + "ltnull": { + "properties": { + "pkt_too_small": { + "type": "long" + }, + "unsupported_type": { + "type": "long" + } + } + }, + "max_pkt_size": { + "type": "long" + }, + "mpls": { + "type": "long" + }, + "null": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "ppp": { + "type": "long" + }, + "pppoe": { + "type": "long" + }, + "raw": { + "type": "long" + }, + "sctp": { + "type": "long" + }, + "sll": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "teredo": { + "type": "long" + }, + "udp": { + "type": "long" + }, + "vlan": { + "type": "long" + }, + "vlan_qinq": { + "type": "long" + } + } + }, + "defrag": { + "properties": { + "ipv4": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "max_frag_hits": { + "type": "long" + } + } + }, + "detect": { + "properties": { + "alert": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "memcap_global": { + "type": "long" + }, + "memcap_state": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "file_store": { + "properties": { + "open_files": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "emerg_mode_entered": { + "type": "long" + }, + "emerg_mode_over": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "spare": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "tcp_reuse": { + "type": "long" + }, + "udp": { + "type": "long" + } + } + }, + "flow_mgr": { + "properties": { + "bypassed_pruned": { + "type": "long" + }, + "closed_pruned": { + "type": "long" + }, + "est_pruned": { + "type": "long" + }, + "flows_checked": { + "type": "long" + }, + "flows_notimeout": { + "type": "long" + }, + "flows_removed": { + "type": "long" + }, + "flows_timeout": { + "type": "long" + }, + "flows_timeout_inuse": { + "type": "long" + }, + "new_pruned": { + "type": "long" + }, + "rows_busy": { + "type": "long" + }, + "rows_checked": { + "type": "long" + }, + "rows_empty": { + "type": "long" + }, + "rows_maxlen": { + "type": "long" + }, + "rows_skipped": { + "type": "long" + } + } + }, + "http": { + "properties": { + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "insert_data_normal_fail": { + "type": "long" + }, + "insert_data_overlap_fail": { + "type": "long" + }, + "insert_list_fail": { + "type": "long" + }, + "invalid_checksum": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "no_flow": { + "type": "long" + }, + "overlap": { + "type": "long" + }, + "overlap_diff_data": { + "type": "long" + }, + "pseudo": { + "type": "long" + }, + "pseudo_failed": { + "type": "long" + }, + "reassembly_gap": { + "type": "long" + }, + "reassembly_memuse": { + "type": "long" + }, + "rst": { + "type": "long" + }, + "segment_memcap_drop": { + "type": "long" + }, + "sessions": { + "type": "long" + }, + "ssn_memcap_drop": { + "type": "long" + }, + "stream_depth_reached": { + "type": "long" + }, + "syn": { + "type": "long" + }, + "synack": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "ack": { + "type": "boolean" + }, + "fin": { + "type": "boolean" + }, + "psh": { + "type": "boolean" + }, + "rst": { + "type": "boolean" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "syn": { + "type": "boolean" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_ts": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tls": { + "properties": { + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuerdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ja3s": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "notafter": { + "type": "date" + }, + "notbefore": { + "type": "date" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_resumed": { + "type": "boolean" + }, + "sni": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tx_id": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/zeek.json b/salt/elasticsearch/templates/component/ecs/zeek.json new file mode 100644 index 000000000..720199001 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/zeek.json @@ -0,0 +1,2279 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "zeek": { + "properties": { + "capture_loss": { + "properties": { + "acks": { + "type": "long" + }, + "gaps": { + "type": "long" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent_lost": { + "type": "double" + }, + "ts_delta": { + "type": "long" + } + } + }, + "connection": { + "properties": { + "history": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "inner_vlan": { + "type": "long" + }, + "local_orig": { + "type": "boolean" + }, + "local_resp": { + "type": "boolean" + }, + "missed_bytes": { + "type": "long" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + } + } + }, + "dce_rpc": { + "properties": { + "endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "named_pipe": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "type": "long" + } + } + }, + "dhcp": { + "properties": { + "address": { + "properties": { + "assigned": { + "type": "ip" + }, + "client": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "requested": { + "type": "ip" + }, + "server": { + "type": "ip" + } + } + }, + "client_fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "properties": { + "circuit": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscriber": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lease_time": { + "type": "long" + }, + "msg": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "type": "ip" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dnp3": { + "properties": { + "function": { + "properties": { + "reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "AA": { + "type": "boolean" + }, + "RA": { + "type": "boolean" + }, + "RD": { + "type": "boolean" + }, + "TC": { + "type": "boolean" + }, + "TTLs": { + "type": "double" + }, + "answers": { + "ignore_above": 1024, + "type": "keyword" + }, + "qclass": { + "type": "long" + }, + "qclass_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtype": { + "type": "long" + }, + "qtype_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcode": { + "type": "long" + }, + "rcode_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejected": { + "type": "boolean" + }, + "rtt": { + "type": "double" + }, + "saw_query": { + "type": "boolean" + }, + "saw_reply": { + "type": "boolean" + }, + "total_answers": { + "type": "long" + }, + "total_replies": { + "type": "long" + }, + "trans_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dpd": { + "properties": { + "analyzer": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_segment": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "files": { + "properties": { + "analyzers": { + "ignore_above": 1024, + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "type": "double" + }, + "entropy": { + "type": "double" + }, + "extracted": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_cutoff": { + "type": "boolean" + }, + "extracted_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "local_orig": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rx_host": { + "type": "ip" + }, + "seen_bytes": { + "type": "long" + }, + "session_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "timedout": { + "type": "boolean" + }, + "total_bytes": { + "type": "long" + }, + "tx_host": { + "type": "ip" + } + } + }, + "ftp": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "capture_password": { + "type": "boolean" + }, + "cmdarg": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "type": "long" + } + } + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_channel": { + "properties": { + "originating_host": { + "type": "ip" + }, + "passive": { + "type": "boolean" + }, + "response_host": { + "type": "ip" + }, + "response_port": { + "type": "long" + } + } + }, + "file": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "last_auth_requested": { + "ignore_above": 1024, + "type": "keyword" + }, + "passive": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "pending_commands": { + "type": "long" + }, + "reply": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http": { + "properties": { + "captured_password": { + "type": "boolean" + }, + "client_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "info_code": { + "type": "long" + }, + "info_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_mime_depth": { + "type": "long" + }, + "orig_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxied": { + "ignore_above": 1024, + "type": "keyword" + }, + "range_request": { + "type": "boolean" + }, + "resp_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_mime_depth": { + "type": "long" + }, + "resp_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_depth": { + "type": "long" + } + } + }, + "intel": { + "properties": { + "file_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen": { + "properties": { + "conn": { + "ignore_above": 1024, + "type": "keyword" + }, + "f": { + "type": "object" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "where": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sources": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "irc": { + "properties": { + "addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "dcc": { + "properties": { + "file": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "nick": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kerberos": { + "properties": { + "cert": { + "properties": { + "client": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "forwardable": { + "type": "boolean" + }, + "renewable": { + "type": "boolean" + }, + "request_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + }, + "ticket": { + "properties": { + "auth": { + "ignore_above": 1024, + "type": "keyword" + }, + "new": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "days": { + "type": "long" + }, + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + } + } + }, + "modbus": { + "properties": { + "exception": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "track_address": { + "type": "long" + } + } + }, + "mysql": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "notice": { + "properties": { + "actions": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped": { + "type": "boolean" + }, + "email_body_sections": { + "norms": false, + "type": "text" + }, + "email_delay_tokens": { + "ignore_above": 1024, + "type": "keyword" + }, + "false": { + "type": "long" + }, + "ffile": { + "properties": { + "total_bytes": { + "type": "long" + } + } + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen_bytes": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_descr": { + "norms": false, + "type": "text" + }, + "peer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppress_for": { + "type": "double" + } + } + }, + "ntlm": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "properties": { + "name": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "netbios": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "success": { + "type": "boolean" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ntp": { + "properties": { + "mode": { + "type": "long" + }, + "num_exts": { + "type": "long" + }, + "org_time": { + "type": "date" + }, + "poll": { + "type": "double" + }, + "precision": { + "type": "double" + }, + "rec_time": { + "type": "date" + }, + "ref_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ref_time": { + "type": "date" + }, + "root_delay": { + "type": "double" + }, + "root_disp": { + "type": "double" + }, + "stratum": { + "type": "long" + }, + "version": { + "type": "long" + }, + "xmt_time": { + "type": "date" + } + } + }, + "ocsp": { + "properties": { + "file_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "revoke": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "update": { + "properties": { + "next": { + "type": "date" + }, + "this": { + "type": "date" + } + } + } + } + }, + "pe": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_time": { + "type": "date" + }, + "has_cert_table": { + "type": "boolean" + }, + "has_debug_data": { + "type": "boolean" + }, + "has_export_table": { + "type": "boolean" + }, + "has_import_table": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_64bit": { + "type": "boolean" + }, + "is_exe": { + "type": "boolean" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "section_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "uses_aslr": { + "type": "boolean" + }, + "uses_code_integrity": { + "type": "boolean" + }, + "uses_dep": { + "type": "boolean" + }, + "uses_seh": { + "type": "boolean" + } + } + }, + "radius": { + "properties": { + "connect_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "framed_addr": { + "type": "ip" + }, + "logged": { + "type": "boolean" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "reply_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rdp": { + "properties": { + "cert": { + "properties": { + "count": { + "type": "long" + }, + "permanent": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "desktop": { + "properties": { + "color_depth": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "width": { + "type": "long" + } + } + }, + "done": { + "type": "boolean" + }, + "encryption": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "keyboard_layout": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl": { + "type": "boolean" + } + } + }, + "rfb": { + "properties": { + "auth": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + } + } + }, + "desktop_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "share_flag": { + "type": "boolean" + }, + "version": { + "properties": { + "client": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "width": { + "type": "long" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "properties": { + "event_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_count": { + "type": "long" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_count": { + "type": "long" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sip": { + "properties": { + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "warning": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_cmd": { + "properties": { + "argument": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "rx": { + "type": "ip" + }, + "tx": { + "type": "ip" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rtt": { + "type": "double" + }, + "smb1_offered_dialects": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb2_offered_dialects": { + "type": "long" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_command": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_files": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "fid": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "times": { + "properties": { + "accessed": { + "type": "date" + }, + "changed": { + "type": "date" + }, + "created": { + "type": "date" + }, + "modified": { + "type": "date" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_mapping": { + "properties": { + "native_file_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "share_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smtp": { + "properties": { + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "first_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "has_client_activity": { + "type": "boolean" + }, + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_webmail": { + "type": "boolean" + }, + "last_reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "ip" + }, + "process_received_from": { + "type": "boolean" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls": { + "type": "boolean" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "x_originating_ip": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "snmp": { + "properties": { + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "get": { + "properties": { + "bulk_requests": { + "type": "long" + }, + "requests": { + "type": "long" + }, + "responses": { + "type": "long" + } + } + }, + "set": { + "properties": { + "requests": { + "type": "long" + } + } + }, + "up_since": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "socks": { + "properties": { + "bound": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "capture_password": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssh": { + "properties": { + "algorithm": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "compression": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "key_exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auth": { + "properties": { + "attempts": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "last_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "validation": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stats": { + "properties": { + "bytes": { + "properties": { + "received": { + "type": "long" + } + } + }, + "connections": { + "properties": { + "icmp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "udp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + } + } + }, + "dns_requests": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "events": { + "properties": { + "processed": { + "type": "long" + }, + "queued": { + "type": "long" + } + } + }, + "files": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "memory": { + "type": "long" + }, + "packets": { + "properties": { + "dropped": { + "type": "long" + }, + "processed": { + "type": "long" + }, + "received": { + "type": "long" + } + } + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "reassembly_size": { + "properties": { + "file": { + "type": "long" + }, + "frag": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "unknown": { + "type": "long" + } + } + }, + "timers": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "timestamp_lag": { + "type": "long" + } + } + }, + "syslog": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tunnel": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "weird": { + "properties": { + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice": { + "type": "boolean" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "basic_constraints": { + "properties": { + "certificate_authority": { + "type": "boolean" + }, + "path_length": { + "type": "long" + } + } + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "exponent": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "key": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + }, + "version": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_cert": { + "type": "boolean" + }, + "san": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "other_fields": { + "type": "boolean" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} From c2c4e4df17db969c017a1780fc687c75ace4502d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 15:23:43 +0000 Subject: [PATCH 36/40] Add Snyk component template --- .../templates/component/ecs/snyk.json | 149 ++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100644 salt/elasticsearch/templates/component/ecs/snyk.json diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json new file mode 100644 index 000000000..c0c583e5f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/snyk.json @@ -0,0 +1,149 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "snyk": { + "properties": { + "audit": { + "properties": { + "content": { + "type": "flattened" + }, + "org_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "project_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "projects": { + "type": "flattened" + }, + "related": { + "properties": { + "projects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerabilities": { + "properties": { + "credit": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss3": { + "ignore_above": 1024, + "type": "keyword" + }, + "disclosure_time": { + "type": "date" + }, + "exploit_maturity": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifiers": { + "properties": { + "alternative": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "introduced_date": { + "type": "date" + }, + "is_fixed": { + "type": "boolean" + }, + "is_ignored": { + "type": "boolean" + }, + "is_patchable": { + "type": "boolean" + }, + "is_patched": { + "type": "boolean" + }, + "is_pinnable": { + "type": "boolean" + }, + "is_upgradable": { + "type": "boolean" + }, + "jira_issue_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_severity": { + "type": "long" + }, + "package": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_manager": { + "ignore_above": 1024, + "type": "keyword" + }, + "patches": { + "type": "flattened" + }, + "priority_score": { + "type": "long" + }, + "publication_time": { + "type": "date" + }, + "reachability": { + "ignore_above": 1024, + "type": "keyword" + }, + "semver": { + "type": "flattened" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_severities_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} From 9b841fd872b6be8aeb2a8fbe8b90d81b6821dcbc Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 21:34:32 +0000 Subject: [PATCH 37/40] Add 'event.created' and 'event.ingested' keyword mapping --- .../templates/component/so/dtc-event-mappings | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings b/salt/elasticsearch/templates/component/so/dtc-event-mappings index 1b4798487..8a026308b 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings @@ -30,7 +30,12 @@ "type": "keyword" }, "created": { - "type": "date" + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } }, "dataset": { "ignore_above": 1024, @@ -56,7 +61,12 @@ "type": "keyword" }, "ingested": { - "type": "date" + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } }, "kind": { "ignore_above": 1024, From 51bd266717a1e1cc41cce94c76631912e3b54bf0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Feb 2022 09:44:28 -0500 Subject: [PATCH 38/40] Update to 7.17.0 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 1712da48b..98db07fa5 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.16.3","id": "7.16.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.0","id": "7.17.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 3f831910835763ec1a3894f7874964814ae184d1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Feb 2022 11:34:39 -0500 Subject: [PATCH 39/40] Update CONTRIBUTING.md --- CONTRIBUTING.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3efed0016..904e9fef4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -29,7 +29,11 @@ * See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting. -* Minor bug fixes can be submitted immediately. However, if you are wanting to make more involved changes, please start a [discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions) first and tell us what you are hoping to achieve. If we agree with your goals, then you can submit the PR. +* Change behavior (fix a bug, add a new feature) separately from refactoring code. Refactor PR's are welcome, but ensure your new code behaves exactly the same as the old. + +* **Do not refactor code for non-functional reasons**. If you are submitting a pull request that refactors code, ensure the refactor is improving the functionality of the code you're refactoring (e.g. decreasing complexity, removing reliance on 3rd party tools, improving performance). + +* Before submitting a PR with significant changes to the project, [start a discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions/new) explaining what you hope to acheive. The project maintainers will provide feedback and determine whether your goal aligns with the project. ### Code style and conventions @@ -38,3 +42,5 @@ * All new Bash code should pass [ShellCheck](https://www.shellcheck.net/) analysis. Where errors can be *safely* [ignored](https://github.com/koalaman/shellcheck/wiki/Ignore), the relevant disable directive should be accompanied by a brief explanation as to why the error is being ignored. * **Ensure all YAML (this includes Salt states and pillars) is properly formatted**. The spec for YAML v1.2 can be found [here](https://yaml.org/spec/1.2/spec.html), however there are numerous online resources with simpler descriptions of its formatting rules. + +* **All code of any language should match the style of other code of that same language within the project.** Be sure that any changes you make do not break from the pre-existing style of Security Onion code. From 2e2eed9f420cc103010c27af6d4cf9c5be7b487c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Feb 2022 11:45:12 -0500 Subject: [PATCH 40/40] PR's -> pull requests --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 904e9fef4..e5b17efe1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -29,7 +29,7 @@ * See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting. -* Change behavior (fix a bug, add a new feature) separately from refactoring code. Refactor PR's are welcome, but ensure your new code behaves exactly the same as the old. +* Change behavior (fix a bug, add a new feature) separately from refactoring code. Refactor pull requests are welcome, but ensure your new code behaves exactly the same as the old. * **Do not refactor code for non-functional reasons**. If you are submitting a pull request that refactors code, ensure the refactor is improving the functionality of the code you're refactoring (e.g. decreasing complexity, removing reliance on 3rd party tools, improving performance).