CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-27 06:57:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into kilo

Browse Source
This commit is contained in:
Jason Ertel
2022-02-15 07:49:26 -05:00
parent d97423e9f8 1fee5e6a60
commit 377fe1987d
216 changed files with 27757 additions and 4565 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CONTRIBUTING.md
+7 -1
View File
@@ -29,7 +29,11 @@
* See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting. * See this document's [code styling and conventions section](#code-style-and-conventions) below to be sure your PR fits our code requirements prior to submitting.
* Minor bug fixes can be submitted immediately. However, if you are wanting to make more involved changes, please start a [discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions) first and tell us what you are hoping to achieve. If we agree with your goals, then you can submit the PR. * Change behavior (fix a bug, add a new feature) separately from refactoring code. Refactor pull requests are welcome, but ensure your new code behaves exactly the same as the old.
* **Do not refactor code for non-functional reasons**. If you are submitting a pull request that refactors code, ensure the refactor is improving the functionality of the code you're refactoring (e.g. decreasing complexity, removing reliance on 3rd party tools, improving performance).
* Before submitting a PR with significant changes to the project, [start a discussion](https://github.com/Security-Onion-Solutions/securityonion/discussions/new) explaining what you hope to acheive. The project maintainers will provide feedback and determine whether your goal aligns with the project.
### Code style and conventions ### Code style and conventions
@@ -38,3 +42,5 @@
* All new Bash code should pass [ShellCheck](https://www.shellcheck.net/) analysis. Where errors can be *safely* [ignored](https://github.com/koalaman/shellcheck/wiki/Ignore), the relevant disable directive should be accompanied by a brief explanation as to why the error is being ignored. * All new Bash code should pass [ShellCheck](https://www.shellcheck.net/) analysis. Where errors can be *safely* [ignored](https://github.com/koalaman/shellcheck/wiki/Ignore), the relevant disable directive should be accompanied by a brief explanation as to why the error is being ignored.
* **Ensure all YAML (this includes Salt states and pillars) is properly formatted**. The spec for YAML v1.2 can be found [here](https://yaml.org/spec/1.2/spec.html), however there are numerous online resources with simpler descriptions of its formatting rules. * **Ensure all YAML (this includes Salt states and pillars) is properly formatted**. The spec for YAML v1.2 can be found [here](https://yaml.org/spec/1.2/spec.html), however there are numerous online resources with simpler descriptions of its formatting rules.
* **All code of any language should match the style of other code of that same language within the project.** Be sure that any changes you make do not break from the pre-existing style of Security Onion code.
HOTFIX
+1 -1
View File
@@ -1 +1 @@
20220202 20220203
VERIFY_ISO.md
+11 -11
View File
@@ -1,18 +1,18 @@
### 2.3.100-20220131 ISO image built on 2022/01/31 ### 2.3.100-20220203 ISO image built on 2022/02/03
### Download and Verify ### Download and Verify
2.3.100-20220131 ISO image: 2.3.100-20220203 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220131.iso https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220203.iso
MD5: 9B50774532B77A10E2F52A3F0492A780 MD5: 14705B2F2F9C973D944A4545449799C5
SHA1: 3C50D2EF4AFFFA8929492C2FC3842FF3EEE0EA5F SHA1: D73405BE3DE404DE19979B58DEA6F22F434E622D
SHA256: CDCBEE6B1FDFB4CAF6C9F80CCADC161366EC337746E8394BF4454FAA2FC11AA1 SHA256: 3DD54ACBFDE0047A5EA238415F025ADB6D6AAFF53BEE084A602327CB3242B580
Signature for ISO image: Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220131.iso.sig https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220203.iso.sig
Signing key: Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
Download the signature file for the ISO: Download the signature file for the ISO:
``` ```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220131.iso.sig wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.100-20220203.iso.sig
``` ```
Download the ISO image: Download the ISO image:
``` ```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220131.iso wget https://download.securityonion.net/file/securityonion/securityonion-2.3.100-20220203.iso
``` ```
Verify the downloaded ISO image using the signature file: Verify the downloaded ISO image using the signature file:
``` ```
gpg --verify securityonion-2.3.100-20220131.iso.sig securityonion-2.3.100-20220131.iso gpg --verify securityonion-2.3.100-20220203.iso.sig securityonion-2.3.100-20220203.iso
``` ```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below: The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
``` ```
gpg: Signature made Mon 31 Jan 2022 11:41:30 AM EST using RSA key ID FE507013 gpg: Signature made Thu 03 Feb 2022 03:35:03 PM EST using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>" gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.
pillar/logstash/nodes.sls
+4 -2
View File
@@ -1,11 +1,13 @@
{% set node_types = {} %} {% set node_types = {} %}
{% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %}
{% for minionid, ip in salt.saltutil.runner( {% for minionid, ip in salt.saltutil.runner(
'mine.get', 'mine.get',
tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ', tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ',
fun='network.ip_addrs', fun='network.ip_addrs',
tgt_type='compound') | dictsort() tgt_type='compound') | dictsort()
%} %}
{% set hostname = minionid.split('_')[0] %}
{% set hostname = cached_grains[minionid]['host'] %}
{% set node_type = minionid.split('_')[1] %} {% set node_type = minionid.split('_')[1] %}
{% if node_type not in node_types.keys() %} {% if node_type not in node_types.keys() %}
{% do node_types.update({node_type: {hostname: ip[0]}}) %} {% do node_types.update({node_type: {hostname: ip[0]}}) %}
salt/common/tools/sbin/so-elasticsearch-component-templates-list
Executable
+23
View File
@@ -0,0 +1,23 @@
#!/bin/bash
#
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common
if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq
fi
salt/common/tools/sbin/so-elasticsearch-index-templates-list
Executable
+23
View File
@@ -0,0 +1,23 @@
#!/bin/bash
#
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common
if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq
fi
salt/common/tools/sbin/so-elasticsearch-indices-list
+1 -1
View File
@@ -18,4 +18,4 @@
. /usr/sbin/so-common . /usr/sbin/so-common
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty {{ ELASTICCURL }} -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index"
salt/common/tools/sbin/soup
+10 -1
View File
@@ -158,7 +158,7 @@ EOF
} }
airgap_update_dockers() { airgap_update_dockers() {
if [[ $is_airgap -eq 0 ]]; then if [[ $is_airgap -eq 0 ]] || [[ ! -z "$ISOLOC" ]]; then
# Let's copy the tarball # Let's copy the tarball
if [[ ! -f $AGDOCKER/registry.tar ]]; then if [[ ! -f $AGDOCKER/registry.tar ]]; then
echo "Unable to locate registry. Exiting" echo "Unable to locate registry. Exiting"
@@ -976,6 +976,11 @@ main() {
# Let's mount the ISO since this is airgap # Let's mount the ISO since this is airgap
airgap_mounted airgap_mounted
else else
# if not airgap but -f was used
if [[ ! -z "$ISOLOC" ]]; then
airgap_mounted
AGDOCKER=/tmp/soagupdate/docker
fi
echo "Cloning Security Onion github repo into $UPDATE_DIR." echo "Cloning Security Onion github repo into $UPDATE_DIR."
echo "Removing previous upgrade sources." echo "Removing previous upgrade sources."
rm -rf $UPDATE_DIR rm -rf $UPDATE_DIR
@@ -1031,6 +1036,10 @@ main() {
update_centos_repo update_centos_repo
yum clean all yum clean all
check_os_updates check_os_updates
# if not airgap but -f was used
elif [[ ! -z "$ISOLOC" ]]; then
airgap_update_dockers
unmount_update
else else
update_registry update_registry
set +e set +e
salt/elasticsearch/defaults.yaml
+1 -1
View File
@@ -55,7 +55,7 @@ elasticsearch:
indices: indices:
query: query:
bool: bool:
max_clause_count: 1500 max_clause_count: 3000
id_field_data: id_field_data:
enabled: false enabled: false
logger: logger:
salt/elasticsearch/files/ingest/zeek.dns
+1 -1
View File
@@ -19,7 +19,7 @@
{ "rename": { "field": "message2.RD", "target_field": "dns.recursion.desired", "ignore_missing": true } }, { "rename": { "field": "message2.RD", "target_field": "dns.recursion.desired", "ignore_missing": true } },
{ "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } }, { "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } },
{ "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } }, { "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } },
{ "rename": { "field": "message2.answers", "target_field": "dns.answers", "ignore_missing": true } }, { "rename": { "field": "message2.answers", "target_field": "dns.answers.name", "ignore_missing": true } },
{ "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } },
{ "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } },
salt/elasticsearch/init.sls
+13 -4
View File
@@ -147,11 +147,13 @@ esingestdir:
estemplatedir: estemplatedir:
file.directory: file.directory:
- name: /opt/so/conf/elasticsearch/templates - name: /opt/so/conf/elasticsearch/templates/index
- user: 930 - user: 930
- group: 939 - group: 939
- makedirs: True - makedirs: True
esrolesdir: esrolesdir:
file.directory: file.directory:
- name: /opt/so/conf/elasticsearch/roles - name: /opt/so/conf/elasticsearch/roles
@@ -200,17 +202,24 @@ esyml:
{% for TEMPLATE in TEMPLATES %} {% for TEMPLATE in TEMPLATES %}
es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
file.managed: file.managed:
- source: salt://elasticsearch/templates/{{TEMPLATE}} - source: salt://elasticsearch/templates/index/{{TEMPLATE}}
{% if 'jinja' in TEMPLATE.split('.')[-1] %} {% if 'jinja' in TEMPLATE.split('.')[-1] %}
- name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
- template: jinja - template: jinja
{% else %} {% else %}
- name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}} - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}}
{% endif %} {% endif %}
- user: 930 - user: 930
- group: 939 - group: 939
{% endfor %} {% endfor %}
escomponenttemplates:
file.recurse:
- name: /opt/so/conf/elasticsearch/templates/component
- source: salt://elasticsearch/templates/component
- user: 930
- group: 939
esroles: esroles:
file.recurse: file.recurse:
- source: salt://elasticsearch/roles/ - source: salt://elasticsearch/roles/
salt/elasticsearch/templates/component/ecs/agent.json
+44
View File
@@ -0,0 +1,44 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/aws.json
+570
View File
@@ -0,0 +1,570 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"aws": {
"properties": {
"cloudtrail": {
"properties": {
"additional_eventdata": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"api_version": {
"ignore_above": 1024,
"type": "keyword"
},
"console_login": {
"properties": {
"additional_eventdata": {
"properties": {
"login_to": {
"ignore_above": 1024,
"type": "keyword"
},
"mfa_used": {
"type": "boolean"
},
"mobile_version": {
"type": "boolean"
}
}
}
}
},
"digest": {
"properties": {
"end_time": {
"type": "date"
},
"log_files": {
"type": "nested"
},
"newest_event_time": {
"type": "date"
},
"oldest_event_time": {
"type": "date"
},
"previous_hash_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"previous_s3_bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"s3_bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"s3_object": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
}
}
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"error_message": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"event_version": {
"ignore_above": 1024,
"type": "keyword"
},
"flattened": {
"properties": {
"additional_eventdata": {
"type": "flattened"
},
"request_parameters": {
"type": "flattened"
},
"response_elements": {
"type": "flattened"
},
"service_event_details": {
"type": "flattened"
}
}
},
"insight_details": {
"type": "flattened"
},
"management_event": {
"ignore_above": 1024,
"type": "keyword"
},
"read_only": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient_account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_parameters": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"resources": {
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response_elements": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"service_event_details": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"shared_event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_identity": {
"properties": {
"access_key_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"invoked_by": {
"ignore_above": 1024,
"type": "keyword"
},
"session_context": {
"properties": {
"creation_date": {
"type": "date"
},
"mfa_authenticated": {
"ignore_above": 1024,
"type": "keyword"
},
"session_issuer": {
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc_endpoint_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cloudwatch": {
"properties": {
"message": {
"norms": false,
"type": "text"
}
}
},
"ec2": {
"properties": {
"ip_address": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elb": {
"properties": {
"action_executed": {
"ignore_above": 1024,
"type": "keyword"
},
"backend": {
"properties": {
"http": {
"properties": {
"response": {
"properties": {
"status_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ip": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"backend_processing_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"chosen_cert": {
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"classification_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_time": {
"properties": {
"ms": {
"type": "long"
}
}
},
"error": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incoming_tls_alert": {
"ignore_above": 1024,
"type": "keyword"
},
"listener": {
"ignore_above": 1024,
"type": "keyword"
},
"matched_rule_priority": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"redirect_url": {
"ignore_above": 1024,
"type": "keyword"
},
"request_processing_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"response_processing_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"ssl_cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"target_group": {
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"target_port": {
"ignore_above": 1024,
"type": "keyword"
},
"target_status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"tls_handshake_time": {
"properties": {
"ms": {
"type": "long"
}
}
},
"tls_named_group": {
"ignore_above": 1024,
"type": "keyword"
},
"trace_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"s3access": {
"properties": {
"authentication_type": {
"ignore_above": 1024,
"type": "keyword"
},
"bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"bucket_owner": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes_sent": {
"type": "long"
},
"cipher_suite": {
"ignore_above": 1024,
"type": "keyword"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"host_header": {
"ignore_above": 1024,
"type": "keyword"
},
"host_id": {
"ignore_above": 1024,
"type": "keyword"
},
"http_status": {
"type": "long"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"object_size": {
"type": "long"
},
"operation": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword"
},
"requester": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_version": {
"ignore_above": 1024,
"type": "keyword"
},
"tls_version": {
"ignore_above": 1024,
"type": "keyword"
},
"total_time": {
"type": "long"
},
"turn_around_time": {
"type": "long"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"version_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpcflow": {
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"instance_id": {
"ignore_above": 1024,
"type": "keyword"
},
"interface_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_status": {
"ignore_above": 1024,
"type": "keyword"
},
"pkt_dstaddr": {
"type": "ip"
},
"pkt_srcaddr": {
"type": "ip"
},
"subnet_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_array": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/azure.json
+604
View File
@@ -0,0 +1,604 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"azure": {
"properties": {
"activitylogs": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"properties": {
"authorization": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"evidence": {
"properties": {
"principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_type": {
"ignore_above": 1024,
"type": "keyword"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
},
"role_assignment_id": {
"ignore_above": 1024,
"type": "keyword"
},
"role_assignment_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"role_definition_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scope": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"claims": {
"properties": {
"*": {
"type": "object"
}
}
},
"claims_initiated_by_user": {
"properties": {
"fullname": {
"ignore_above": 1024,
"type": "keyword"
},
"givenname": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"schema": {
"ignore_above": 1024,
"type": "keyword"
},
"surname": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"type": "flattened"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"auditlogs": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_version": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"properties": {
"activity_datetime": {
"type": "date"
},
"activity_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"initiated_by": {
"properties": {
"app": {
"properties": {
"appId": {
"ignore_above": 1024,
"type": "keyword"
},
"displayName": {
"ignore_above": 1024,
"type": "keyword"
},
"servicePrincipalId": {
"ignore_above": 1024,
"type": "keyword"
},
"servicePrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"properties": {
"displayName": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"userPrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"logged_by_service": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_type": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"result_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"target_resources": {
"properties": {
"*": {
"properties": {
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip_address": {
"ignore_above": 1024,
"type": "keyword"
},
"modified_properties": {
"properties": {
"*": {
"properties": {
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"user_principal_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"consumer_group": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"enqueued_time": {
"type": "date"
},
"eventhub": {
"ignore_above": 1024,
"type": "keyword"
},
"offset": {
"type": "long"
},
"partition_id": {
"type": "long"
},
"platformlogs": {
"properties": {
"ActivityId": {
"ignore_above": 1024,
"type": "keyword"
},
"Caller": {
"ignore_above": 1024,
"type": "keyword"
},
"Cloud": {
"ignore_above": 1024,
"type": "keyword"
},
"Environment": {
"ignore_above": 1024,
"type": "keyword"
},
"EventTimeString": {
"ignore_above": 1024,
"type": "keyword"
},
"ScaleUnit": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"ccpNamespace": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"type": "flattened"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource": {
"properties": {
"authorization_rule": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sequence_number": {
"type": "long"
},
"signinlogs": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_version": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"properties": {
"app_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"app_id": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_processing_details": {
"type": "flattened"
},
"authentication_requirement": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_requirement_policies": {
"ignore_above": 1024,
"type": "keyword"
},
"autonomous_system_number": {
"type": "long"
},
"client_app_used": {
"ignore_above": 1024,
"type": "keyword"
},
"conditional_access_status": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"created_at": {
"type": "date"
},
"cross_tenant_access_type": {
"ignore_above": 1024,
"type": "keyword"
},
"device_detail": {
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"device_id": {
"ignore_above": 1024,
"type": "keyword"
},
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operating_system": {
"ignore_above": 1024,
"type": "keyword"
},
"trust_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"flagged_for_review": {
"type": "boolean"
},
"home_tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"is_interactive": {
"type": "boolean"
},
"is_tenant_restricted": {
"type": "boolean"
},
"original_request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"processing_time_ms": {
"type": "float"
},
"resource_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_id": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_detail": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_event_types": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_event_types_v2": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_level_aggregated": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_level_during_signin": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_state": {
"ignore_above": 1024,
"type": "keyword"
},
"service_principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"service_principal_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sso_extension_version": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"properties": {
"error_code": {
"type": "long"
}
}
},
"token_issuer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"token_issuer_type": {
"ignore_above": 1024,
"type": "keyword"
},
"user_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_principal_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"result_description": {
"ignore_above": 1024,
"type": "keyword"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subscription_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/base.json
+25
View File
@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"labels": {
"type": "object"
},
"message": {
"type": "match_only_text"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/cef.json
+772
View File
@@ -0,0 +1,772 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"cef": {
"properties": {
"device": {
"properties": {
"event_class_id": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extensions": {
"properties": {
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"agentAddress": {
"type": "ip"
},
"agentDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"agentHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"agentId": {
"ignore_above": 1024,
"type": "keyword"
},
"agentMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"agentNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"agentReceiptTime": {
"type": "date"
},
"agentTimeZone": {
"ignore_above": 1024,
"type": "keyword"
},
"agentTranslatedAddress": {
"type": "ip"
},
"agentTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"agentTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"agentType": {
"ignore_above": 1024,
"type": "keyword"
},
"agentVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"agentZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"agentZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"applicationProtocol": {
"ignore_above": 1024,
"type": "keyword"
},
"baseEventCount": {
"type": "long"
},
"bytesIn": {
"type": "long"
},
"bytesOut": {
"type": "long"
},
"categoryBehavior": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryDeviceGroup": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryDeviceType": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryObject": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryOutcome": {
"ignore_above": 1024,
"type": "keyword"
},
"categorySignificance": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryTechnique": {
"ignore_above": 1024,
"type": "keyword"
},
"cp_app_risk": {
"ignore_above": 1024,
"type": "keyword"
},
"cp_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"customerExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"customerURI": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationAddress": {
"type": "ip"
},
"destinationDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationGeoLatitude": {
"type": "double"
},
"destinationGeoLongitude": {
"type": "double"
},
"destinationHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationPort": {
"type": "long"
},
"destinationProcessId": {
"type": "long"
},
"destinationProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationTranslatedAddress": {
"type": "ip"
},
"destinationTranslatedPort": {
"type": "long"
},
"destinationTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserPrivileges": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceAction": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceAddress": {
"type": "ip"
},
"deviceCustomDate1": {
"type": "date"
},
"deviceCustomDate1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomDate2": {
"type": "date"
},
"deviceCustomDate2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint1": {
"type": "double"
},
"deviceCustomFloatingPoint1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint2": {
"type": "double"
},
"deviceCustomFloatingPoint2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint3": {
"type": "double"
},
"deviceCustomFloatingPoint3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint4": {
"type": "double"
},
"deviceCustomFloatingPoint4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address1": {
"type": "ip"
},
"deviceCustomIPv6Address1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address2": {
"type": "ip"
},
"deviceCustomIPv6Address2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address3": {
"type": "ip"
},
"deviceCustomIPv6Address3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address4": {
"type": "ip"
},
"deviceCustomIPv6Address4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber1": {
"type": "long"
},
"deviceCustomNumber1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber2": {
"type": "long"
},
"deviceCustomNumber2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber3": {
"type": "long"
},
"deviceCustomNumber3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString1": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString2": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString3": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString4": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString5": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString5Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString6": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString6Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceDirection": {
"type": "long"
},
"deviceDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceEventCategory": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceExternalId": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFacility": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFlexNumber1": {
"type": "long"
},
"deviceFlexNumber1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFlexNumber2": {
"type": "long"
},
"deviceFlexNumber2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceInboundInterface": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceOutboundInterface": {
"ignore_above": 1024,
"type": "keyword"
},
"devicePayloadId": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceProcessId": {
"type": "long"
},
"deviceProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceReceiptTime": {
"type": "date"
},
"deviceTimeZone": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceTranslatedAddress": {
"type": "ip"
},
"deviceTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"endTime": {
"type": "date"
},
"eventId": {
"type": "long"
},
"eventOutcome": {
"ignore_above": 1024,
"type": "keyword"
},
"externalId": {
"ignore_above": 1024,
"type": "keyword"
},
"fileCreateTime": {
"type": "date"
},
"fileHash": {
"ignore_above": 1024,
"type": "keyword"
},
"fileId": {
"ignore_above": 1024,
"type": "keyword"
},
"fileModificationTime": {
"type": "date"
},
"filePath": {
"ignore_above": 1024,
"type": "keyword"
},
"filePermission": {
"ignore_above": 1024,
"type": "keyword"
},
"fileSize": {
"type": "long"
},
"fileType": {
"ignore_above": 1024,
"type": "keyword"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"flexDate1": {
"type": "date"
},
"flexDate1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString1": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString2": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"ifname": {
"ignore_above": 1024,
"type": "keyword"
},
"inzone": {
"ignore_above": 1024,
"type": "keyword"
},
"layer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"layer_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"logid": {
"ignore_above": 1024,
"type": "keyword"
},
"loguid": {
"ignore_above": 1024,
"type": "keyword"
},
"managerReceiptTime": {
"type": "date"
},
"match_id": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_addtnl_rulenum": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_rulenum": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileCreateTime": {
"type": "date"
},
"oldFileHash": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileId": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileModificationTime": {
"type": "date"
},
"oldFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFilePath": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFilePermission": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileSize": {
"type": "long"
},
"oldFileType": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"ignore_above": 1024,
"type": "keyword"
},
"originsicname": {
"ignore_above": 1024,
"type": "keyword"
},
"outzone": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_rule": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"rawEvent": {
"ignore_above": 1024,
"type": "keyword"
},
"requestClientApplication": {
"ignore_above": 1024,
"type": "keyword"
},
"requestContext": {
"ignore_above": 1024,
"type": "keyword"
},
"requestCookies": {
"ignore_above": 1024,
"type": "keyword"
},
"requestMethod": {
"ignore_above": 1024,
"type": "keyword"
},
"requestUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_action": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"sequencenum": {
"ignore_above": 1024,
"type": "keyword"
},
"service_id": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceAddress": {
"type": "ip"
},
"sourceDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceGeoLatitude": {
"type": "double"
},
"sourceGeoLongitude": {
"type": "double"
},
"sourceHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"sourcePort": {
"type": "long"
},
"sourceProcessId": {
"type": "long"
},
"sourceProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceTranslatedAddress": {
"type": "ip"
},
"sourceTranslatedPort": {
"type": "long"
},
"sourceTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserPrivileges": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"transportProtocol": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"type": "long"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/checkpoint.json
+1615
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/cisco.json
+620
View File
@@ -0,0 +1,620 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"cisco": {
"properties": {
"amp": {
"properties": {
"bp_data": {
"type": "flattened"
},
"cloud_ioc": {
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"short_description": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"command_line": {
"properties": {
"arguments": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"computer": {
"properties": {
"active": {
"type": "boolean"
},
"connector_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"external_ip": {
"type": "ip"
},
"network_addresses": {
"type": "flattened"
}
}
},
"connector_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"detection": {
"ignore_above": 1024,
"type": "keyword"
},
"detection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_type_id": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"properties": {
"archived_file": {
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"attack_details": {
"properties": {
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"attacked_module": {
"ignore_above": 1024,
"type": "keyword"
},
"base_address": {
"ignore_above": 1024,
"type": "keyword"
},
"indicators": {
"type": "flattened"
},
"suspicious_files": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"parent": {
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"group_guids": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_tactics": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_techniques": {
"ignore_above": 1024,
"type": "keyword"
},
"network_info": {
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"nfm": {
"properties": {
"direction": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"parent": {
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"identify": {
"properties": {
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"identity": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"related": {
"properties": {
"cve": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scan": {
"properties": {
"clean": {
"type": "boolean"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"malicious_detections": {
"type": "long"
},
"scanned_files": {
"type": "long"
},
"scanned_paths": {
"type": "long"
},
"scanned_processes": {
"type": "long"
}
}
},
"tactics": {
"type": "flattened"
},
"techniques": {
"type": "flattened"
},
"threat_hunting": {
"properties": {
"incident_end_time": {
"type": "date"
},
"incident_hunt_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_id": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_remediation": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_report_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_start_time": {
"type": "date"
},
"incident_summary": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_title": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"tactics": {
"type": "flattened"
},
"techniques": {
"type": "flattened"
}
}
},
"timestamp_nanoseconds": {
"type": "date"
},
"vulnerabilities": {
"type": "flattened"
}
}
},
"asa": {
"properties": {
"assigned_ip": {
"type": "ip"
},
"burst": {
"properties": {
"avg_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"configured_avg_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"configured_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"cumulative_count": {
"ignore_above": 1024,
"type": "keyword"
},
"current_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"object": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"command_line_arguments": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dap_records": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_username": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"type": "short"
},
"icmp_type": {
"type": "short"
},
"mapped_destination_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_destination_ip": {
"type": "ip"
},
"mapped_destination_port": {
"type": "long"
},
"mapped_source_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_source_ip": {
"type": "ip"
},
"mapped_source_port": {
"type": "long"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"privilege": {
"properties": {
"new": {
"ignore_above": 1024,
"type": "keyword"
},
"old": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"session_type": {
"ignore_above": 1024,
"type": "keyword"
},
"source_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"source_username": {
"ignore_above": 1024,
"type": "keyword"
},
"suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_initiator": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_user": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_category": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_level": {
"ignore_above": 1024,
"type": "keyword"
},
"tunnel_type": {
"ignore_above": 1024,
"type": "keyword"
},
"webvpn": {
"properties": {
"group_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ftd": {
"properties": {
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dap_records": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_username": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"type": "short"
},
"icmp_type": {
"type": "short"
},
"mapped_destination_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_destination_ip": {
"type": "ip"
},
"mapped_destination_port": {
"type": "long"
},
"mapped_source_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_source_ip": {
"type": "ip"
},
"mapped_source_port": {
"type": "long"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"security": {
"type": "object"
},
"source_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"source_username": {
"ignore_above": 1024,
"type": "keyword"
},
"suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_initiator": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_user": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_category": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_level": {
"ignore_above": 1024,
"type": "keyword"
},
"webvpn": {
"properties": {
"group_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ios": {
"properties": {
"access_list": {
"ignore_above": 1024,
"type": "keyword"
},
"facility": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"umbrella": {
"properties": {
"amp_disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"amp_malware_name": {
"ignore_above": 1024,
"type": "keyword"
},
"amp_score": {
"ignore_above": 1024,
"type": "keyword"
},
"av_detections": {
"ignore_above": 1024,
"type": "keyword"
},
"blocked_categories": {
"ignore_above": 1024,
"type": "keyword"
},
"categories": {
"ignore_above": 1024,
"type": "keyword"
},
"content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"datacenter": {
"ignore_above": 1024,
"type": "keyword"
},
"identities": {
"ignore_above": 1024,
"type": "keyword"
},
"identity_types": {
"ignore_above": 1024,
"type": "keyword"
},
"origin_id": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_identity_type": {
"ignore_above": 1024,
"type": "keyword"
},
"puas": {
"ignore_above": 1024,
"type": "keyword"
},
"sha_sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/client.json
+187
View File
@@ -0,0 +1,187 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"client": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/cloud.json
+80
View File
@@ -0,0 +1,80 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"cloud": {
"properties": {
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"instance": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/container.json
+43
View File
@@ -0,0 +1,43 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"container": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"labels": {
"type": "object"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"runtime": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/cyberark.json
+305
View File
@@ -0,0 +1,305 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"cyberarkpas": {
"properties": {
"audit": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"ca_properties": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_disabled": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_error_details": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_status": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_method": {
"ignore_above": 1024,
"type": "keyword"
},
"customer": {
"ignore_above": 1024,
"type": "keyword"
},
"database": {
"ignore_above": 1024,
"type": "keyword"
},
"device_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dual_account_status": {
"ignore_above": 1024,
"type": "keyword"
},
"group_name": {
"ignore_above": 1024,
"type": "keyword"
},
"in_process": {
"ignore_above": 1024,
"type": "keyword"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"last_fail_date": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_change": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_reconciliation": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_verification": {
"ignore_above": 1024,
"type": "keyword"
},
"last_task": {
"ignore_above": 1024,
"type": "keyword"
},
"logon_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"other": {
"type": "flattened"
},
"policy_id": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"ignore_above": 1024,
"type": "keyword"
},
"privcloud": {
"ignore_above": 1024,
"type": "keyword"
},
"reset_immediately": {
"ignore_above": 1024,
"type": "keyword"
},
"retries_count": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"user_dn": {
"ignore_above": 1024,
"type": "keyword"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"desc": {
"ignore_above": 1024,
"type": "keyword"
},
"extra_details": {
"properties": {
"ad_process_id": {
"ignore_above": 1024,
"type": "keyword"
},
"ad_process_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_type": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_component_id": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_host": {
"ignore_above": 1024,
"type": "keyword"
},
"logon_account": {
"ignore_above": 1024,
"type": "keyword"
},
"managed_account": {
"ignore_above": 1024,
"type": "keyword"
},
"other": {
"type": "flattened"
},
"process_id": {
"ignore_above": 1024,
"type": "keyword"
},
"process_name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"psmid": {
"ignore_above": 1024,
"type": "keyword"
},
"session_duration": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"src_host": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway_station": {
"type": "ip"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"iso_timestamp": {
"type": "date"
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"doc_values": false,
"ignore_above": 4096,
"index": false,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"pvwa_details": {
"type": "flattened"
},
"raw": {
"doc_values": false,
"ignore_above": 4096,
"index": false,
"type": "keyword"
},
"reason": {
"norms": false,
"type": "text"
},
"rfc5424": {
"type": "boolean"
},
"safe": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"source_user": {
"ignore_above": 1024,
"type": "keyword"
},
"station": {
"type": "ip"
},
"target_user": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/data_stream.json
+25
View File
@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"data_stream": {
"properties": {
"dataset": {
"type": "constant_keyword"
},
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/destination.json
+187
View File
@@ -0,0 +1,187 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"destination": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/dll.json
+116
View File
@@ -0,0 +1,116 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"dll": {
"properties": {
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/dns.json
+91
View File
@@ -0,0 +1,91 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"dns": {
"properties": {
"answers": {
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"header_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"op_code": {
"ignore_above": 1024,
"type": "keyword"
},
"question": {
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resolved_ip": {
"type": "ip"
},
"response_code": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/ecs.json
+20
View File
@@ -0,0 +1,20 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/elasticsearch.json
+25
View File
@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"labels": {
"type": "object"
},
"message": {
"type": "match_only_text"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/error.json
+39
View File
@@ -0,0 +1,39 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"error": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"type": "match_only_text"
},
"stack_trace": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/event.json
+112
View File
@@ -0,0 +1,112 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"end": {
"type": "date"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk_score_norm": {
"type": "float"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"start": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/file.json
+424
View File
@@ -0,0 +1,424 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"file": {
"properties": {
"accessed": {
"type": "date"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"created": {
"type": "date"
},
"ctime": {
"type": "date"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
},
"type": "nested"
},
"segments": {
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"mtime": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"size": {
"type": "long"
},
"target_path": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
"index": false,
"type": "long"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/fortinet.json
+1627
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/gcp.json
+267
View File
@@ -0,0 +1,267 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"gcp": {
"properties": {
"audit": {
"properties": {
"authentication_info": {
"properties": {
"authority_selector": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_email": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"method_name": {
"ignore_above": 1024,
"type": "keyword"
},
"num_response_items": {
"type": "long"
},
"request": {
"properties": {
"filter": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request_metadata": {
"properties": {
"caller_ip": {
"type": "ip"
},
"caller_supplied_user_agent": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource_location": {
"properties": {
"current_locations": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword"
},
"response": {
"properties": {
"details": {
"properties": {
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"properties": {
"code": {
"type": "long"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"destination": {
"properties": {
"instance": {
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc": {
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"firewall": {
"properties": {
"rule_details": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_range": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"type": "long"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"source_range": {
"ignore_above": 1024,
"type": "keyword"
},
"source_service_account": {
"ignore_above": 1024,
"type": "keyword"
},
"source_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"target_service_account": {
"ignore_above": 1024,
"type": "keyword"
},
"target_tag": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"source": {
"properties": {
"instance": {
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc": {
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"vpcflow": {
"properties": {
"reporter": {
"ignore_above": 1024,
"type": "keyword"
},
"rtt": {
"properties": {
"ms": {
"type": "long"
}
}
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/google_workspace.json
+750
View File
@@ -0,0 +1,750 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"google_workspace": {
"properties": {
"actor": {
"properties": {
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"admin": {
"properties": {
"alert": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"api": {
"properties": {
"client": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scopes": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"application": {
"properties": {
"asp_id": {
"ignore_above": 1024,
"type": "keyword"
},
"edition": {
"ignore_above": 1024,
"type": "keyword"
},
"enabled": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"licences_order_number": {
"ignore_above": 1024,
"type": "keyword"
},
"licences_purchased": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"package_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"bulk_upload": {
"properties": {
"failed": {
"type": "long"
},
"total": {
"type": "long"
}
}
},
"chrome_licenses": {
"properties": {
"allowed": {
"ignore_above": 1024,
"type": "keyword"
},
"enabled": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"chrome_os": {
"properties": {
"session_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"device": {
"properties": {
"command_details": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"distribution": {
"properties": {
"entity": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"secondary_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"properties": {
"log_search_filter": {
"properties": {
"end_date": {
"type": "date"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient": {
"properties": {
"ip": {
"type": "ip"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sender": {
"properties": {
"ip": {
"type": "ip"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"start_date": {
"type": "date"
}
}
},
"quarantine_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email_dump": {
"properties": {
"include_deleted": {
"type": "boolean"
},
"package_content": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email_monitor": {
"properties": {
"dest_email": {
"ignore_above": 1024,
"type": "keyword"
},
"level": {
"properties": {
"chat": {
"ignore_above": 1024,
"type": "keyword"
},
"draft": {
"ignore_above": 1024,
"type": "keyword"
},
"incoming": {
"ignore_above": 1024,
"type": "keyword"
},
"outgoing": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"field": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"properties": {
"allowed_list": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"priorities": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"info_type": {
"ignore_above": 1024,
"type": "keyword"
},
"managed_configuration": {
"ignore_above": 1024,
"type": "keyword"
},
"mdm": {
"properties": {
"token": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"mobile": {
"properties": {
"action": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"certificate": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"company_owned_devices": {
"type": "long"
}
}
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"non_featured_services_selection": {
"ignore_above": 1024,
"type": "keyword"
},
"oauth2": {
"properties": {
"application": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"org_unit": {
"properties": {
"full": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"print_server": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"printer": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"privilege": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"sku": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"role": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rule": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"setting": {
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"url": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"properties": {
"birthdate": {
"type": "date"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"nickname": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_defined_setting": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"verification_method": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"drive": {
"properties": {
"added_role": {
"ignore_above": 1024,
"type": "keyword"
},
"billable": {
"type": "boolean"
},
"destination_folder_id": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_folder_title": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"properties": {
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"is_shared_drive": {
"type": "boolean"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"membership_change_type": {
"ignore_above": 1024,
"type": "keyword"
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_visibility": {
"ignore_above": 1024,
"type": "keyword"
},
"originating_app_id": {
"ignore_above": 1024,
"type": "keyword"
},
"primary_event": {
"type": "boolean"
},
"removed_role": {
"ignore_above": 1024,
"type": "keyword"
},
"shared_drive_id": {
"ignore_above": 1024,
"type": "keyword"
},
"shared_drive_settings_change_type": {
"ignore_above": 1024,
"type": "keyword"
},
"sheets_import_range_recipient_doc": {
"ignore_above": 1024,
"type": "keyword"
},
"source_folder_id": {
"ignore_above": 1024,
"type": "keyword"
},
"source_folder_title": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"ignore_above": 1024,
"type": "keyword"
},
"target_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"visibility": {
"ignore_above": 1024,
"type": "keyword"
},
"visibility_change": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"groups": {
"properties": {
"acl_permission": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"member": {
"properties": {
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"message": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"moderation_action": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"setting": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"login": {
"properties": {
"affected_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"challenge_method": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_type": {
"ignore_above": 1024,
"type": "keyword"
},
"is_second_factor": {
"type": "boolean"
},
"is_suspicious": {
"type": "boolean"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"organization": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"saml": {
"properties": {
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_type": {
"ignore_above": 1024,
"type": "keyword"
},
"initiated_by": {
"ignore_above": 1024,
"type": "keyword"
},
"orgunit_path": {
"ignore_above": 1024,
"type": "keyword"
},
"second_level_status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/group.json
+28
View File
@@ -0,0 +1,28 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/host.json
+247
View File
@@ -0,0 +1,247 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"host": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu": {
"properties": {
"usage": {
"scaling_factor": 1000,
"type": "scaled_float"
}
}
},
"disk": {
"properties": {
"read": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"write": {
"properties": {
"bytes": {
"type": "long"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"network": {
"properties": {
"egress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
},
"ingress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
}
}
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/http.json
+87
View File
@@ -0,0 +1,87 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"http": {
"properties": {
"request": {
"properties": {
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
}
}
},
"bytes": {
"type": "long"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response": {
"properties": {
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
}
}
},
"bytes": {
"type": "long"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"type": "long"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/juniper.json
+378
View File
@@ -0,0 +1,378 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"juniper": {
"properties": {
"srx": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"action_detail": {
"ignore_above": 1024,
"type": "keyword"
},
"alert": {
"ignore_above": 1024,
"type": "keyword"
},
"apbr_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"application_category": {
"ignore_above": 1024,
"type": "keyword"
},
"application_characteristics": {
"ignore_above": 1024,
"type": "keyword"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_sub_category": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"client_ip": {
"type": "ip"
},
"connection_hit_rate": {
"type": "long"
},
"connection_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"context_hit_rate": {
"type": "long"
},
"context_name": {
"ignore_above": 1024,
"type": "keyword"
},
"context_value": {
"ignore_above": 1024,
"type": "keyword"
},
"context_value_hit_rate": {
"type": "long"
},
"ddos_application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dscp_value": {
"type": "long"
},
"dst_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_vrf_grp": {
"ignore_above": 1024,
"type": "keyword"
},
"elapsed_time": {
"type": "date"
},
"encrypted": {
"ignore_above": 1024,
"type": "keyword"
},
"epoch_time": {
"type": "date"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"error_message": {
"ignore_above": 1024,
"type": "keyword"
},
"export_id": {
"type": "long"
},
"feed_name": {
"ignore_above": 1024,
"type": "keyword"
},
"file_category": {
"ignore_above": 1024,
"type": "keyword"
},
"file_hash_lookup": {
"ignore_above": 1024,
"type": "keyword"
},
"file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_type": {
"type": "long"
},
"inbound_bytes": {
"type": "long"
},
"inbound_packets": {
"type": "long"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"logical_system_name": {
"ignore_above": 1024,
"type": "keyword"
},
"malware_info": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_type": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_connection_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"nested_application": {
"ignore_above": 1024,
"type": "keyword"
},
"obj": {
"ignore_above": 1024,
"type": "keyword"
},
"occur_count": {
"type": "long"
},
"outbound_bytes": {
"type": "long"
},
"outbound_packets": {
"type": "long"
},
"packet_log_id": {
"type": "long"
},
"peer_destination_address": {
"type": "ip"
},
"peer_destination_port": {
"type": "long"
},
"peer_session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"peer_source_address": {
"type": "ip"
},
"peer_source_port": {
"type": "long"
},
"policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"profile": {
"ignore_above": 1024,
"type": "keyword"
},
"profile_name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol_id": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"repeat_count": {
"type": "long"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
},
"routing_instance": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ruleebase_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sample_sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"secure_web_proxy_session_type": {
"ignore_above": 1024,
"type": "keyword"
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id_32": {
"ignore_above": 1024,
"type": "keyword"
},
"src_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"src_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"src_vrf_grp": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_category": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
},
"temporary_filename": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"th": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"time_count": {
"type": "long"
},
"time_period": {
"type": "long"
},
"time_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uplink_rx_bytes": {
"type": "long"
},
"uplink_tx_bytes": {
"type": "long"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
},
"verdict_number": {
"type": "long"
},
"verdict_source": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/kibana.json
+75
View File
@@ -0,0 +1,75 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"kibana": {
"properties": {
"add_to_spaces": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_realm": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_type": {
"ignore_above": 1024,
"type": "keyword"
},
"delete_from_spaces": {
"ignore_above": 1024,
"type": "keyword"
},
"log": {
"properties": {
"meta": {
"type": "object"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"lookup_realm": {
"ignore_above": 1024,
"type": "keyword"
},
"saved_object": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"space_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/log.json
+86
View File
@@ -0,0 +1,86 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"log": {
"properties": {
"file": {
"properties": {
"path": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"logger": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"properties": {
"file": {
"properties": {
"line": {
"type": "integer"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"function": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"syslog": {
"properties": {
"facility": {
"properties": {
"code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"priority": {
"type": "long"
},
"severity": {
"properties": {
"code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/logstash.json
+99
View File
@@ -0,0 +1,99 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"logstash": {
"properties": {
"log": {
"properties": {
"log_event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"pipeline_id": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"slowlog": {
"properties": {
"event": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_name": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_params": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"plugin_params_object": {
"type": "object"
},
"plugin_type": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"took_in_millis": {
"type": "long"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/microsoft.json
+265
View File
@@ -0,0 +1,265 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"microsoft": {
"properties": {
"defender_atp": {
"properties": {
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"evidence": {
"properties": {
"aadUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"accountName": {
"ignore_above": 1024,
"type": "keyword"
},
"domainName": {
"ignore_above": 1024,
"type": "keyword"
},
"entityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"type": "ip"
},
"userPrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"lastUpdateTime": {
"type": "date"
},
"rbacGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"resolvedTime": {
"type": "date"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"m365_defender": {
"properties": {
"alerts": {
"properties": {
"actorName": {
"ignore_above": 1024,
"type": "keyword"
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"creationTime": {
"type": "date"
},
"detectionSource": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"devices": {
"type": "flattened"
},
"entities": {
"properties": {
"accountName": {
"ignore_above": 1024,
"type": "keyword"
},
"clusterBy": {
"ignore_above": 1024,
"type": "keyword"
},
"deliveryAction": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceId": {
"ignore_above": 1024,
"type": "keyword"
},
"entityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"mailboxAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"mailboxDisplayName": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient": {
"ignore_above": 1024,
"type": "keyword"
},
"registryHive": {
"ignore_above": 1024,
"type": "keyword"
},
"registryKey": {
"ignore_above": 1024,
"type": "keyword"
},
"registryValueType": {
"ignore_above": 1024,
"type": "keyword"
},
"securityGroupId": {
"ignore_above": 1024,
"type": "keyword"
},
"securityGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"sender": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"lastUpdatedTime": {
"type": "date"
},
"mitreTechniques": {
"ignore_above": 1024,
"type": "keyword"
},
"resolvedTime": {
"type": "date"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword"
},
"userSid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"incidentName": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"redirectIncidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/misp.json
+425
View File
@@ -0,0 +1,425 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"misp": {
"properties": {
"attack_pattern": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"campaign": {
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"first_seen": {
"type": "date"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_seen": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"objective": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"course_of_action": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"identity": {
"properties": {
"contact_information": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"identity_class": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"sectors": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"intrusion_set": {
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"first_seen": {
"type": "date"
},
"goals": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_seen": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"primary_motivation": {
"norms": false,
"type": "text"
},
"resource_level": {
"norms": false,
"type": "text"
},
"secondary_motivations": {
"norms": false,
"type": "text"
}
}
},
"malware": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"note": {
"properties": {
"authors": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"object_refs": {
"ignore_above": 1024,
"type": "keyword"
},
"summary": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"observed_data": {
"properties": {
"first_observed": {
"type": "date"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_observed": {
"type": "date"
},
"number_observed": {
"type": "long"
},
"objects": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"report": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"object_refs": {
"norms": false,
"type": "text"
},
"published": {
"type": "date"
}
}
},
"threat_actor": {
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"goals": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"personal_motivations": {
"norms": false,
"type": "text"
},
"primary_motivation": {
"norms": false,
"type": "text"
},
"resource_level": {
"norms": false,
"type": "text"
},
"roles": {
"norms": false,
"type": "text"
},
"secondary_motivations": {
"norms": false,
"type": "text"
},
"sophistication": {
"norms": false,
"type": "text"
}
}
},
"threat_indicator": {
"properties": {
"attack_pattern": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_pattern_kql": {
"ignore_above": 1024,
"type": "keyword"
},
"campaign": {
"ignore_above": 1024,
"type": "keyword"
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"norms": false,
"type": "text"
},
"feed": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"intrusion_set": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_tactic": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_technique": {
"ignore_above": 1024,
"type": "keyword"
},
"negate": {
"type": "boolean"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_actor": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"valid_from": {
"type": "date"
},
"valid_until": {
"type": "date"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tool": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"norms": false,
"type": "text"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"tool_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vulnerability": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/netflow.json
+1423
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/network.json
+86
View File
@@ -0,0 +1,86 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"network": {
"properties": {
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes": {
"type": "long"
},
"community_id": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"forwarded_ip": {
"type": "ip"
},
"iana_number": {
"ignore_above": 1024,
"type": "keyword"
},
"inner": {
"properties": {
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"packets": {
"type": "long"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"transport": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/o365.json
+445
View File
@@ -0,0 +1,445 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"o365": {
"properties": {
"audit": {
"properties": {
"AADGroupId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorContextId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorIpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorYammerUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertEntityId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertType": {
"ignore_above": 1024,
"type": "keyword"
},
"AppId": {
"ignore_above": 1024,
"type": "keyword"
},
"ApplicationDisplayName": {
"ignore_above": 1024,
"type": "keyword"
},
"ApplicationId": {
"ignore_above": 1024,
"type": "keyword"
},
"AzureActiveDirectoryEventType": {
"ignore_above": 1024,
"type": "keyword"
},
"Category": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientAppId": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientIP": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientIPAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientInfoString": {
"ignore_above": 1024,
"type": "keyword"
},
"Comments": {
"norms": false,
"type": "text"
},
"CommunicationType": {
"ignore_above": 1024,
"type": "keyword"
},
"CorrelationId": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationTime": {
"ignore_above": 1024,
"type": "keyword"
},
"CustomUniqueId": {
"ignore_above": 1024,
"type": "keyword"
},
"Data": {
"ignore_above": 1024,
"type": "keyword"
},
"DataType": {
"ignore_above": 1024,
"type": "keyword"
},
"DoNotDistributeEvent": {
"type": "boolean"
},
"EntityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ErrorNumber": {
"ignore_above": 1024,
"type": "keyword"
},
"EventData": {
"ignore_above": 1024,
"type": "keyword"
},
"EventSource": {
"ignore_above": 1024,
"type": "keyword"
},
"ExceptionInfo": {
"properties": {
"*": {
"type": "object"
}
}
},
"ExchangeMetaData": {
"properties": {
"*": {
"type": "object"
}
}
},
"ExtendedProperties": {
"properties": {
"*": {
"type": "object"
}
}
},
"ExternalAccess": {
"ignore_above": 1024,
"type": "keyword"
},
"FromApp": {
"type": "boolean"
},
"GroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"Id": {
"ignore_above": 1024,
"type": "keyword"
},
"ImplicitShare": {
"ignore_above": 1024,
"type": "keyword"
},
"IncidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"InterSystemsId": {
"ignore_above": 1024,
"type": "keyword"
},
"InternalLogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"IntraSystemId": {
"ignore_above": 1024,
"type": "keyword"
},
"IsDocLib": {
"type": "boolean"
},
"Item": {
"properties": {
"*": {
"properties": {
"*": {
"type": "object"
}
},
"type": "object"
}
}
},
"ItemCount": {
"type": "long"
},
"ItemName": {
"ignore_above": 1024,
"type": "keyword"
},
"ItemType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListBaseTemplateType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListBaseType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListColor": {
"ignore_above": 1024,
"type": "keyword"
},
"ListIcon": {
"ignore_above": 1024,
"type": "keyword"
},
"ListId": {
"ignore_above": 1024,
"type": "keyword"
},
"ListItemUniqueId": {
"ignore_above": 1024,
"type": "keyword"
},
"ListTitle": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonError": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerMasterAccountSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerUPN": {
"ignore_above": 1024,
"type": "keyword"
},
"Members": {
"properties": {
"*": {
"type": "object"
}
}
},
"ModifiedProperties": {
"properties": {
"*": {
"properties": {
"*": {
"type": "object"
}
}
}
}
},
"Name": {
"ignore_above": 1024,
"type": "keyword"
},
"ObjectId": {
"ignore_above": 1024,
"type": "keyword"
},
"Operation": {
"ignore_above": 1024,
"type": "keyword"
},
"OrganizationId": {
"ignore_above": 1024,
"type": "keyword"
},
"OrganizationName": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginatingServer": {
"ignore_above": 1024,
"type": "keyword"
},
"Parameters": {
"properties": {
"*": {
"type": "object"
}
}
},
"PolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"RecordType": {
"ignore_above": 1024,
"type": "keyword"
},
"ResultStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"SensitiveInfoDetectionIsIncluded": {
"ignore_above": 1024,
"type": "keyword"
},
"SessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"Severity": {
"ignore_above": 1024,
"type": "keyword"
},
"SharePointMetaData": {
"properties": {
"*": {
"type": "object"
}
}
},
"Site": {
"ignore_above": 1024,
"type": "keyword"
},
"SiteUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"Source": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceFileExtension": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceRelativeUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"SupportTicketId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetContextId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserOrGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserOrGroupType": {
"ignore_above": 1024,
"type": "keyword"
},
"TeamGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"TeamName": {
"ignore_above": 1024,
"type": "keyword"
},
"TemplateTypeId": {
"ignore_above": 1024,
"type": "keyword"
},
"UniqueSharingId": {
"ignore_above": 1024,
"type": "keyword"
},
"UserAgent": {
"ignore_above": 1024,
"type": "keyword"
},
"UserId": {
"ignore_above": 1024,
"type": "keyword"
},
"UserKey": {
"ignore_above": 1024,
"type": "keyword"
},
"UserType": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"WebId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workload": {
"ignore_above": 1024,
"type": "keyword"
},
"YammerNetworkId": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/observer.json
+214
View File
@@ -0,0 +1,214 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"observer": {
"properties": {
"egress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"ingress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/okta.json
+293
View File
@@ -0,0 +1,293 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"okta": {
"properties": {
"actor": {
"properties": {
"alternate_id": {
"ignore_above": 1024,
"type": "keyword"
},
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"authentication_context": {
"properties": {
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_step": {
"type": "long"
},
"credential_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"credential_type": {
"ignore_above": 1024,
"type": "keyword"
},
"external_session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"client": {
"properties": {
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user_agent": {
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_user_agent": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"debug_context": {
"properties": {
"debug_data": {
"properties": {
"device_fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword"
},
"suspicious_activity": {
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"event_city": {
"ignore_above": 1024,
"type": "keyword"
},
"event_country": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_ip": {
"type": "ip"
},
"event_latitude": {
"type": "float"
},
"event_longitude": {
"type": "float"
},
"event_state": {
"ignore_above": 1024,
"type": "keyword"
},
"event_transaction_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
}
}
},
"threat_suspected": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"display_message": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"outcome": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request": {
"properties": {
"ip_chain": {
"properties": {
"geographical_context": {
"properties": {
"city": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"geolocation": {
"type": "geo_point"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"security_context": {
"properties": {
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"is_proxy": {
"type": "boolean"
},
"isp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"type": "flattened"
},
"transaction": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/orchestrator.json
+60
View File
@@ -0,0 +1,60 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"orchestrator": {
"properties": {
"api_version": {
"ignore_above": 1024,
"type": "keyword"
},
"cluster": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"resource": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/organization.json
+29
View File
@@ -0,0 +1,29 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"organization": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/package.json
+66
View File
@@ -0,0 +1,66 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"package": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"build_version": {
"ignore_above": 1024,
"type": "keyword"
},
"checksum": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"install_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"installed": {
"type": "date"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/process.json
+612
View File
@@ -0,0 +1,612 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"process": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"args_count": {
"type": "long"
},
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"command_line": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
},
"type": "nested"
},
"segments": {
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"end": {
"type": "date"
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"executable": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"parent": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"args_count": {
"type": "long"
},
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"command_line": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
},
"type": "nested"
},
"segments": {
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"end": {
"type": "date"
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"executable": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
"ppid": {
"type": "long"
},
"start": {
"type": "date"
},
"thread": {
"properties": {
"id": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"title": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
},
"working_directory": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
"ppid": {
"type": "long"
},
"start": {
"type": "date"
},
"thread": {
"properties": {
"id": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"title": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
},
"working_directory": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/redis.json
+50
View File
@@ -0,0 +1,50 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"redis": {
"properties": {
"log": {
"properties": {
"role": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"slowlog": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"properties": {
"us": {
"type": "long"
}
}
},
"id": {
"type": "long"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/registry.json
+47
View File
@@ -0,0 +1,47 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"registry": {
"properties": {
"data": {
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/related.json
+31
View File
@@ -0,0 +1,31 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"related": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"hosts": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/rule.json
+56
View File
@@ -0,0 +1,56 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"rule": {
"properties": {
"author": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"ruleset": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/server.json
+187
View File
@@ -0,0 +1,187 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"server": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/service.json
+56
View File
@@ -0,0 +1,56 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"service": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"environment": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/snyk.json
+149
View File
@@ -0,0 +1,149 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"snyk": {
"properties": {
"audit": {
"properties": {
"content": {
"type": "flattened"
},
"org_id": {
"ignore_above": 1024,
"type": "keyword"
},
"project_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"projects": {
"type": "flattened"
},
"related": {
"properties": {
"projects": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vulnerabilities": {
"properties": {
"credit": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss3": {
"ignore_above": 1024,
"type": "keyword"
},
"disclosure_time": {
"type": "date"
},
"exploit_maturity": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"identifiers": {
"properties": {
"alternative": {
"ignore_above": 1024,
"type": "keyword"
},
"cwe": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"introduced_date": {
"type": "date"
},
"is_fixed": {
"type": "boolean"
},
"is_ignored": {
"type": "boolean"
},
"is_patchable": {
"type": "boolean"
},
"is_patched": {
"type": "boolean"
},
"is_pinnable": {
"type": "boolean"
},
"is_upgradable": {
"type": "boolean"
},
"jira_issue_url": {
"ignore_above": 1024,
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword"
},
"original_severity": {
"type": "long"
},
"package": {
"ignore_above": 1024,
"type": "keyword"
},
"package_manager": {
"ignore_above": 1024,
"type": "keyword"
},
"patches": {
"type": "flattened"
},
"priority_score": {
"type": "long"
},
"publication_time": {
"type": "date"
},
"reachability": {
"ignore_above": 1024,
"type": "keyword"
},
"semver": {
"type": "flattened"
},
"title": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"unique_severities_list": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/sophos.json
+722
View File
@@ -0,0 +1,722 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"sophos": {
"properties": {
"xg": {
"properties": {
"Configuration": {
"type": "float"
},
"Mode": {
"ignore_above": 1024,
"type": "keyword"
},
"PHPSESSID": {
"ignore_above": 1024,
"type": "keyword"
},
"Reports": {
"type": "float"
},
"Signature": {
"type": "float"
},
"SysLog_SERVER_NAME": {
"ignore_above": 1024,
"type": "keyword"
},
"Temp": {
"type": "float"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"activityname": {
"ignore_above": 1024,
"type": "keyword"
},
"ap": {
"ignore_above": 1024,
"type": "keyword"
},
"app_is_cloud": {
"ignore_above": 1024,
"type": "keyword"
},
"appfilter_policy_id": {
"type": "long"
},
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"application_category": {
"ignore_above": 1024,
"type": "keyword"
},
"application_filter_policy": {
"type": "long"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_risk": {
"ignore_above": 1024,
"type": "keyword"
},
"application_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"appresolvedby": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_client": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_mechanism": {
"ignore_above": 1024,
"type": "keyword"
},
"av_policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"backup_mode": {
"ignore_above": 1024,
"type": "keyword"
},
"branch_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"category_type": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"client_host_name": {
"ignore_above": 1024,
"type": "keyword"
},
"client_physical_address": {
"ignore_above": 1024,
"type": "keyword"
},
"clients_conn_ssid": {
"ignore_above": 1024,
"type": "keyword"
},
"collisions": {
"type": "long"
},
"con_id": {
"type": "long"
},
"conn_id": {
"type": "long"
},
"connectionname": {
"ignore_above": 1024,
"type": "keyword"
},
"connectiontype": {
"ignore_above": 1024,
"type": "keyword"
},
"connevent": {
"ignore_above": 1024,
"type": "keyword"
},
"connid": {
"ignore_above": 1024,
"type": "keyword"
},
"contenttype": {
"ignore_above": 1024,
"type": "keyword"
},
"context_match": {
"ignore_above": 1024,
"type": "keyword"
},
"context_prefix": {
"ignore_above": 1024,
"type": "keyword"
},
"context_suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"date": {
"type": "date"
},
"destinationip": {
"type": "ip"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"device_id": {
"ignore_above": 1024,
"type": "keyword"
},
"device_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dictionary_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dir_disp": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"download_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"download_file_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_country_code": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_ip": {
"type": "ip"
},
"dst_port": {
"type": "long"
},
"dstdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"dstzone": {
"ignore_above": 1024,
"type": "keyword"
},
"dstzonetype": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"email_subject": {
"ignore_above": 1024,
"type": "keyword"
},
"ep_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"eventid": {
"ignore_above": 1024,
"type": "keyword"
},
"eventtime": {
"type": "date"
},
"eventtype": {
"ignore_above": 1024,
"type": "keyword"
},
"exceptions": {
"ignore_above": 1024,
"type": "keyword"
},
"execution_path": {
"ignore_above": 1024,
"type": "keyword"
},
"extra": {
"ignore_above": 1024,
"type": "keyword"
},
"file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"file_path": {
"ignore_above": 1024,
"type": "keyword"
},
"file_size": {
"type": "long"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"filepath": {
"ignore_above": 1024,
"type": "keyword"
},
"filesize": {
"type": "long"
},
"free": {
"type": "long"
},
"from_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"ftp_direction": {
"ignore_above": 1024,
"type": "keyword"
},
"ftp_url": {
"ignore_above": 1024,
"type": "keyword"
},
"ftpcommand": {
"ignore_above": 1024,
"type": "keyword"
},
"fw_rule_id": {
"type": "long"
},
"hb_health": {
"ignore_above": 1024,
"type": "keyword"
},
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"httpresponsecode": {
"type": "long"
},
"iap": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_type": {
"ignore_above": 1024,
"type": "keyword"
},
"idle_cpu": {
"type": "float"
},
"idp_policy_id": {
"type": "long"
},
"idp_policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"in_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
},
"ipaddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ips_policy_id": {
"type": "long"
},
"localgateway": {
"ignore_above": 1024,
"type": "keyword"
},
"localnetwork": {
"ignore_above": 1024,
"type": "keyword"
},
"log_component": {
"ignore_above": 1024,
"type": "keyword"
},
"log_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_subtype": {
"ignore_above": 1024,
"type": "keyword"
},
"log_type": {
"ignore_above": 1024,
"type": "keyword"
},
"login_user": {
"ignore_above": 1024,
"type": "keyword"
},
"mailid": {
"ignore_above": 1024,
"type": "keyword"
},
"mailsize": {
"type": "long"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"newversion": {
"ignore_above": 1024,
"type": "keyword"
},
"oldversion": {
"ignore_above": 1024,
"type": "keyword"
},
"out_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"override_authorizer": {
"ignore_above": 1024,
"type": "keyword"
},
"override_name": {
"ignore_above": 1024,
"type": "keyword"
},
"override_token": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_type": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"quarantine": {
"ignore_above": 1024,
"type": "keyword"
},
"quarantine_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"querystring": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_data": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"received_pkts": {
"type": "long"
},
"receiveddrops": {
"type": "long"
},
"receivederrors": {
"ignore_above": 1024,
"type": "keyword"
},
"receivedkbits": {
"type": "long"
},
"recv_bytes": {
"type": "long"
},
"red_id": {
"ignore_above": 1024,
"type": "keyword"
},
"referer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"remotenetwork": {
"ignore_above": 1024,
"type": "keyword"
},
"responsetime": {
"type": "long"
},
"rule_priority": {
"ignore_above": 1024,
"type": "keyword"
},
"sent_bytes": {
"type": "long"
},
"sent_pkts": {
"type": "long"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
},
"sessionid": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1sum": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_id": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"site_category": {
"ignore_above": 1024,
"type": "keyword"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceip": {
"type": "ip"
},
"spamaction": {
"ignore_above": 1024,
"type": "keyword"
},
"sqli": {
"ignore_above": 1024,
"type": "keyword"
},
"src_country_code": {
"ignore_above": 1024,
"type": "keyword"
},
"src_domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"src_ip": {
"type": "ip"
},
"src_mac": {
"ignore_above": 1024,
"type": "keyword"
},
"src_port": {
"type": "long"
},
"srczone": {
"ignore_above": 1024,
"type": "keyword"
},
"srczonetype": {
"ignore_above": 1024,
"type": "keyword"
},
"ssid": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
},
"starttime": {
"type": "date"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"system_cpu": {
"type": "float"
},
"target": {
"ignore_above": 1024,
"type": "keyword"
},
"threatname": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"to_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"total_memory": {
"type": "long"
},
"trans_dst_ip": {
"type": "ip"
},
"trans_dst_port": {
"type": "long"
},
"trans_src_ip": {
"type": "ip"
},
"trans_src_port": {
"type": "long"
},
"transaction_id": {
"ignore_above": 1024,
"type": "keyword"
},
"transactionid": {
"ignore_above": 1024,
"type": "keyword"
},
"transmitteddrops": {
"type": "long"
},
"transmittederrors": {
"ignore_above": 1024,
"type": "keyword"
},
"transmittedkbits": {
"type": "long"
},
"unit": {
"ignore_above": 1024,
"type": "keyword"
},
"updatedip": {
"type": "ip"
},
"upload_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"upload_file_type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"used": {
"type": "long"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"user_cpu": {
"type": "float"
},
"user_gp": {
"ignore_above": 1024,
"type": "keyword"
},
"user_group": {
"ignore_above": 1024,
"type": "keyword"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"users": {
"ignore_above": 1024,
"type": "keyword"
},
"vconn_id": {
"type": "long"
},
"virus": {
"ignore_above": 1024,
"type": "keyword"
},
"website": {
"ignore_above": 1024,
"type": "keyword"
},
"xss": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/source.json
+187
View File
@@ -0,0 +1,187 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"source": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/suricata.json
+850
View File
@@ -0,0 +1,850 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"suricata": {
"properties": {
"eve": {
"properties": {
"alert": {
"properties": {
"affected_product": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_target": {
"ignore_above": 1024,
"type": "keyword"
},
"capec_id": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"classtype": {
"ignore_above": 1024,
"type": "keyword"
},
"created_at": {
"type": "date"
},
"cve": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v2_base": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v2_temporal": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v3_base": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v3_temporal": {
"ignore_above": 1024,
"type": "keyword"
},
"cwe_id": {
"ignore_above": 1024,
"type": "keyword"
},
"deployment": {
"ignore_above": 1024,
"type": "keyword"
},
"former_category": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"type": "long"
},
"hostile": {
"ignore_above": 1024,
"type": "keyword"
},
"infected": {
"ignore_above": 1024,
"type": "keyword"
},
"malware": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"type": "flattened"
},
"mitre_tool_id": {
"ignore_above": 1024,
"type": "keyword"
},
"performance_impact": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
},
"protocols": {
"ignore_above": 1024,
"type": "keyword"
},
"rev": {
"type": "long"
},
"rule_source": {
"ignore_above": 1024,
"type": "keyword"
},
"sid": {
"ignore_above": 1024,
"type": "keyword"
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_id": {
"type": "long"
},
"signature_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
},
"updated_at": {
"type": "date"
}
}
},
"app_proto_expected": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_orig": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_tc": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_ts": {
"ignore_above": 1024,
"type": "keyword"
},
"dns": {
"properties": {
"id": {
"type": "long"
},
"rcode": {
"ignore_above": 1024,
"type": "keyword"
},
"rdata": {
"ignore_above": 1024,
"type": "keyword"
},
"rrname": {
"ignore_above": 1024,
"type": "keyword"
},
"rrtype": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
},
"tx_id": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"properties": {
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"fileinfo": {
"properties": {
"gaps": {
"type": "boolean"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"stored": {
"type": "boolean"
},
"tx_id": {
"type": "long"
}
}
},
"flow": {
"properties": {
"age": {
"type": "long"
},
"alerted": {
"type": "boolean"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"flow_id": {
"ignore_above": 1024,
"type": "keyword"
},
"http": {
"properties": {
"http_content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"redirect": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"icmp_code": {
"type": "long"
},
"icmp_type": {
"type": "long"
},
"in_iface": {
"ignore_above": 1024,
"type": "keyword"
},
"pcap_cnt": {
"type": "long"
},
"smtp": {
"properties": {
"helo": {
"ignore_above": 1024,
"type": "keyword"
},
"mail_from": {
"ignore_above": 1024,
"type": "keyword"
},
"rcpt_to": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ssh": {
"properties": {
"client": {
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword"
},
"software_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword"
},
"software_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"stats": {
"properties": {
"app_layer": {
"properties": {
"flow": {
"properties": {
"dcerpc_tcp": {
"type": "long"
},
"dcerpc_udp": {
"type": "long"
},
"dns_tcp": {
"type": "long"
},
"dns_udp": {
"type": "long"
},
"failed_tcp": {
"type": "long"
},
"failed_udp": {
"type": "long"
},
"ftp": {
"type": "long"
},
"http": {
"type": "long"
},
"imap": {
"type": "long"
},
"msn": {
"type": "long"
},
"smb": {
"type": "long"
},
"smtp": {
"type": "long"
},
"ssh": {
"type": "long"
},
"tls": {
"type": "long"
}
}
},
"tx": {
"properties": {
"dcerpc_tcp": {
"type": "long"
},
"dcerpc_udp": {
"type": "long"
},
"dns_tcp": {
"type": "long"
},
"dns_udp": {
"type": "long"
},
"ftp": {
"type": "long"
},
"http": {
"type": "long"
},
"smb": {
"type": "long"
},
"smtp": {
"type": "long"
},
"ssh": {
"type": "long"
},
"tls": {
"type": "long"
}
}
}
}
},
"capture": {
"properties": {
"kernel_drops": {
"type": "long"
},
"kernel_ifdrops": {
"type": "long"
},
"kernel_packets": {
"type": "long"
}
}
},
"decoder": {
"properties": {
"avg_pkt_size": {
"type": "long"
},
"bytes": {
"type": "long"
},
"dce": {
"properties": {
"pkt_too_small": {
"type": "long"
}
}
},
"erspan": {
"type": "long"
},
"ethernet": {
"type": "long"
},
"gre": {
"type": "long"
},
"icmpv4": {
"type": "long"
},
"icmpv6": {
"type": "long"
},
"ieee8021ah": {
"type": "long"
},
"invalid": {
"type": "long"
},
"ipraw": {
"properties": {
"invalid_ip_version": {
"type": "long"
}
}
},
"ipv4": {
"type": "long"
},
"ipv4_in_ipv6": {
"type": "long"
},
"ipv6": {
"type": "long"
},
"ipv6_in_ipv6": {
"type": "long"
},
"ltnull": {
"properties": {
"pkt_too_small": {
"type": "long"
},
"unsupported_type": {
"type": "long"
}
}
},
"max_pkt_size": {
"type": "long"
},
"mpls": {
"type": "long"
},
"null": {
"type": "long"
},
"pkts": {
"type": "long"
},
"ppp": {
"type": "long"
},
"pppoe": {
"type": "long"
},
"raw": {
"type": "long"
},
"sctp": {
"type": "long"
},
"sll": {
"type": "long"
},
"tcp": {
"type": "long"
},
"teredo": {
"type": "long"
},
"udp": {
"type": "long"
},
"vlan": {
"type": "long"
},
"vlan_qinq": {
"type": "long"
}
}
},
"defrag": {
"properties": {
"ipv4": {
"properties": {
"fragments": {
"type": "long"
},
"reassembled": {
"type": "long"
},
"timeouts": {
"type": "long"
}
}
},
"ipv6": {
"properties": {
"fragments": {
"type": "long"
},
"reassembled": {
"type": "long"
},
"timeouts": {
"type": "long"
}
}
},
"max_frag_hits": {
"type": "long"
}
}
},
"detect": {
"properties": {
"alert": {
"type": "long"
}
}
},
"dns": {
"properties": {
"memcap_global": {
"type": "long"
},
"memcap_state": {
"type": "long"
},
"memuse": {
"type": "long"
}
}
},
"file_store": {
"properties": {
"open_files": {
"type": "long"
}
}
},
"flow": {
"properties": {
"emerg_mode_entered": {
"type": "long"
},
"emerg_mode_over": {
"type": "long"
},
"icmpv4": {
"type": "long"
},
"icmpv6": {
"type": "long"
},
"memcap": {
"type": "long"
},
"memuse": {
"type": "long"
},
"spare": {
"type": "long"
},
"tcp": {
"type": "long"
},
"tcp_reuse": {
"type": "long"
},
"udp": {
"type": "long"
}
}
},
"flow_mgr": {
"properties": {
"bypassed_pruned": {
"type": "long"
},
"closed_pruned": {
"type": "long"
},
"est_pruned": {
"type": "long"
},
"flows_checked": {
"type": "long"
},
"flows_notimeout": {
"type": "long"
},
"flows_removed": {
"type": "long"
},
"flows_timeout": {
"type": "long"
},
"flows_timeout_inuse": {
"type": "long"
},
"new_pruned": {
"type": "long"
},
"rows_busy": {
"type": "long"
},
"rows_checked": {
"type": "long"
},
"rows_empty": {
"type": "long"
},
"rows_maxlen": {
"type": "long"
},
"rows_skipped": {
"type": "long"
}
}
},
"http": {
"properties": {
"memcap": {
"type": "long"
},
"memuse": {
"type": "long"
}
}
},
"tcp": {
"properties": {
"insert_data_normal_fail": {
"type": "long"
},
"insert_data_overlap_fail": {
"type": "long"
},
"insert_list_fail": {
"type": "long"
},
"invalid_checksum": {
"type": "long"
},
"memuse": {
"type": "long"
},
"no_flow": {
"type": "long"
},
"overlap": {
"type": "long"
},
"overlap_diff_data": {
"type": "long"
},
"pseudo": {
"type": "long"
},
"pseudo_failed": {
"type": "long"
},
"reassembly_gap": {
"type": "long"
},
"reassembly_memuse": {
"type": "long"
},
"rst": {
"type": "long"
},
"segment_memcap_drop": {
"type": "long"
},
"sessions": {
"type": "long"
},
"ssn_memcap_drop": {
"type": "long"
},
"stream_depth_reached": {
"type": "long"
},
"syn": {
"type": "long"
},
"synack": {
"type": "long"
}
}
},
"uptime": {
"type": "long"
}
}
},
"tcp": {
"properties": {
"ack": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"psh": {
"type": "boolean"
},
"rst": {
"type": "boolean"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"syn": {
"type": "boolean"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_tc": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_ts": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tls": {
"properties": {
"fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"issuerdn": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"string": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ja3s": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"string": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"notafter": {
"type": "date"
},
"notbefore": {
"type": "date"
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
},
"session_resumed": {
"type": "boolean"
},
"sni": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tx_id": {
"type": "long"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/syslog.json
+30
View File
@@ -0,0 +1,30 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"syslog": {
"properties": {
"facility": {
"type": "long"
},
"facility_label": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"type": "long"
},
"severity_label": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/threat.json
+1650
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/tls.json
+354
View File
@@ -0,0 +1,354 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"tls": {
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3": {
"ignore_above": 1024,
"type": "keyword"
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"supported_ciphers": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
"index": false,
"type": "long"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"established": {
"type": "boolean"
},
"next_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"resumed": {
"type": "boolean"
},
"server": {
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3s": {
"ignore_above": 1024,
"type": "keyword"
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
"index": false,
"type": "long"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"version_protocol": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/tracing.json
+36
View File
@@ -0,0 +1,36 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"span": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"trace": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"transaction": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/url.json
+78
View File
@@ -0,0 +1,78 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"url": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"original": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"type": "wildcard"
},
"port": {
"type": "long"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/user.json
+244
View File
@@ -0,0 +1,244 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"user": {
"properties": {
"changes": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"effective": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/user_agent.json
+83
View File
@@ -0,0 +1,83 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"user_agent": {
"properties": {
"device": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/vulnerability.json
+78
View File
@@ -0,0 +1,78 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"vulnerability": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"enumeration": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"report_id": {
"ignore_above": 1024,
"type": "keyword"
},
"scanner": {
"properties": {
"vendor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"score": {
"properties": {
"base": {
"type": "float"
},
"environmental": {
"type": "float"
},
"temporal": {
"type": "float"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/winlog.json
+603
View File
@@ -0,0 +1,603 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"dynamic_templates": [
{
"winlog.event_data": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "winlog.event_data.*"
}
},
{
"winlog.user_data": {
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string",
"path_match": "winlog.user_data.*"
}
}
],
"properties": {
"winlog": {
"properties": {
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"logon": {
"properties": {
"failure": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"time_created": {
"type": "date"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_data": {
"type": "object"
},
"version": {
"type": "long"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/ecs/zeek.json
+2279
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/so/case-mappings.json
+213
View File
@@ -0,0 +1,213 @@
{
"template": {
"mappings": {
"properties": {
"so_audit_doc_id": {
"ignore_above": 1024,
"type": "keyword"
},
"so_related": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"fields": {
"eager_global_ordinals": false,
"ignore_above": 1024,
"index": true,
"type": "flattened",
"index_options": "docs",
"split_queries_on_whitespace": false,
"doc_values": true
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"so_artifactstream": {
"properties": {
"createTime": {
"type": "date"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"content": {
"type": "text"
}
}
},
"so_comment": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"type": "text"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_case": {
"properties": {
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"template": {
"ignore_above": 1024,
"type": "keyword"
},
"completeTime": {
"type": "date"
},
"description": {
"type": "text"
},
"priority": {
"type": "long"
},
"title": {
"type": "text"
},
"assigneeId": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"pap": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_artifact": {
"properties": {
"artifactType": {
"ignore_above": 1024,
"type": "keyword"
},
"groupType": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"streamId": {
"ignore_above": 1024,
"type": "keyword"
},
"groupId": {
"ignore_above": 1024,
"type": "keyword"
},
"streamLength": {
"type": "long"
},
"description": {
"type": "text"
},
"mimeType": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"type": "boolean"
},
"value": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
}
salt/elasticsearch/templates/component/so/case-settings.json
+65
View File
@@ -0,0 +1,65 @@
{
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion Cases indices"
}
}
salt/elasticsearch/templates/component/so/common-dynamic-mappings.json
+56
View File
@@ -0,0 +1,56 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"ip_address": {
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields": {
"keyword": {
"ignore_above": 45,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields": {
"keyword": {
"ignore_above": 6,
"type": "keyword"
}
}
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
]
}
}
}
salt/elasticsearch/templates/component/so/common-settings.json
+65
View File
@@ -0,0 +1,65 @@
{
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion indices"
}
}
salt/elasticsearch/templates/component/so/dtc-agent-mappings.json
+61
View File
@@ -0,0 +1,61 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"agent": {
"properties": {
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-base-mappings.json
+29
View File
@@ -0,0 +1,29 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"message": {
"type": "match_only_text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"tags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-dns-mappings.json
+29
View File
@@ -0,0 +1,29 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"dns": {
"properties": {
"answers": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json
+25
View File
@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-event-mappings
+137
View File
@@ -0,0 +1,137 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"dataset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"duration": {
"type": "long"
},
"end": {
"type": "date"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk_score_norm": {
"type": "float"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"start": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-event-mappings.json
+86
View File
@@ -0,0 +1,86 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"event": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"created": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"dataset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"ingested": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"outcome": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-file-mappings.json
+34
View File
@@ -0,0 +1,34 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"file": {
"properties": {
"mime_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-host-mappings.json
+34
View File
@@ -0,0 +1,34 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"host": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-http-mappings.json
+38
View File
@@ -0,0 +1,38 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"http": {
"properties": {
"request": {
"properties": {
"method": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"referrer": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-network-mappings.json
+34
View File
@@ -0,0 +1,34 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"network": {
"properties": {
"protocol": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"transport": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-observer-mappings
+219
View File
@@ -0,0 +1,219 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"observer": {
"properties": {
"egress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"ingress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-observer-mappings.json
+25
View File
@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"observer": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-process-mappings.json
+27
View File
@@ -0,0 +1,27 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"process": {
"properties": {
"command_line": {
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
},
"type": "wildcard"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-rule-mappings.json
+34
View File
@@ -0,0 +1,34 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"rule": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-service-mappings.json
+34
View File
@@ -0,0 +1,34 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-user-mappings.json
+28
View File
@@ -0,0 +1,28 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"user": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json
+28
View File
@@ -0,0 +1,28 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"user_agent": {
"properties": {
"original": {
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/endgame-mappings.json
+53
View File
@@ -0,0 +1,53 @@
{
"template": {
"mappings": {
"properties": {
"endgame": {
"dynamic": false,
"properties": {
"data": {
"properties": {
"malware_classification": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"quarantine_result": {
"properties": {
"local_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"event_subtype_full": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type_full": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
}
salt/elasticsearch/templates/component/so/so-file-mappings.json
+29
View File
@@ -0,0 +1,29 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"file": {
"properties": {
"flavors": {
"properties": {
"mime": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/so-rule-mappings.json
+19
View File
@@ -0,0 +1,19 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"rule":{
"properties":{
"score":{
"type":"long"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/so-scan-mappings.json
+31
View File
@@ -0,0 +1,31 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"scan":{
"type":"object",
"properties":{
"exiftool":{
"type":"text"
},
"pe":{
"properties":{
"sections":{
"properties":{
"entropy":{
"type": "float"
}
}
}
}
}
}
}
}
}
}
}
salt/elasticsearch/templates/custom/place_custom_template_in_local → salt/elasticsearch/templates/index/custom/place_custom_template_in_local
View File
salt/elasticsearch/templates/index/so/so-aws-template.json.jinja
+105
View File
@@ -0,0 +1,105 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-aws:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-aws:field_limit', 3000) %}
{
"index_patterns": [
"so-aws*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"dtc-agent-mappings",
"aws-mappings",
"base-mappings",
"dtc-base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"dtc-dns-mappings",
"ecs-mappings",
"dtc-ecs-mappings",
"error-mappings",
"event-mappings",
"dtc-event-mappings",
"file-mappings",
"dtc-file-mappings",
"group-mappings",
"host-mappings",
"dtc-host-mappings",
"http-mappings",
"dtc-http-mappings",
"log-mappings",
"network-mappings",
"dtc-network-mappings",
"observer-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"dtc-process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"dtc-rule-mappings",
"server-mappings",
"service-mappings",
"dtc-service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"dtc-user_agent-mappings",
"user-mappings",
"dtc-user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}
salt/elasticsearch/templates/index/so/so-azure-template.json.jinja
+105
View File
@@ -0,0 +1,105 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-azure:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-azure:field_limit', 3000) %}
{
"index_patterns": [
"so-azure*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"dtc-agent-mappings",
"azure-mappings",
"base-mappings",
"dtc-base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"dtc-dns-mappings",
"ecs-mappings",
"dtc-ecs-mappings",
"error-mappings",
"event-mappings",
"dtc-event-mappings",
"file-mappings",
"dtc-file-mappings",
"group-mappings",
"host-mappings",
"dtc-host-mappings",
"http-mappings",
"dtc-http-mappings",
"log-mappings",
"network-mappings",
"dtc-network-mappings",
"observer-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"dtc-process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"dtc-rule-mappings",
"server-mappings",
"service-mappings",
"dtc-service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"dtc-user_agent-mappings",
"user-mappings",
"dtc-user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

Some files were not shown because too many files have changed in this diff Show More