CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-11 11:42:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update field mappings based on Wes' feedback

Browse Source
This commit is contained in:
Jason Ertel
2022-01-07 13:28:36 -05:00
parent 9ef83da23f
commit 391db568b0
1 changed files with 83 additions and 350 deletions
Download Patch File Download Diff File Expand all files Collapse all files

431
salt/elasticsearch/templates/so/so-case-template.json.jinja
View File

@@ -36,149 +36,86 @@
"@timestamp": { "@timestamp": {
"type": "date" "type": "date"
}, },
"kind": {
"type": "keyword",
"ignore_above": 1024
},
"operation": {
"type": "keyword",
"ignore_above": 1024
},
"so_audit_doc_id": {
"type": "keyword",
"ignore_above": 1024
},
"artifact": { "artifact": {
"properties": { "properties": {
"artifactType": { "artifactType": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"caseId": { "caseId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"createTime": { "createTime": {
"type": "date" "type": "date"
}, },
"description": { "description": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"groupId": { "groupId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"groupType": { "groupType": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"ioc": { "ioc": {
"type": "boolean" "type": "boolean"
}, },
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"md5": { "md5": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"mimeType": { "mimeType": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"sha1": { "sha1": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"sha256": { "sha256": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"streamId": { "streamId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"streamLength": { "streamLength": {
"type": "long" "type": "long"
}, },
"tags": { "tags": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"tlp": { "tlp": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"userId": { "userId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"value": { "value": {
"type": "text", "type": "text",
"fields": { "fields": {
"keyword": { "keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
} }
} }
} }
@@ -187,65 +124,26 @@
"artifactstream": { "artifactstream": {
"properties": { "properties": {
"content": { "content": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"createTime": { "createTime": {
"type": "date" "type": "date"
}, },
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"stream": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"userId": { "userId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
} }
} }
}, },
"case": { "case": {
"properties": { "properties": {
"assigneeId": { "assigneeId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"category": { "category": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"completeTime": { "completeTime": {
"type": "date" "type": "date"
@@ -254,272 +152,107 @@
"type": "date" "type": "date"
}, },
"description": { "description": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"pap": { "pap": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"priority": { "priority": {
"type": "long" "type": "long"
}, },
"severity": { "severity": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"startTime": { "startTime": {
"type": "date" "type": "date"
}, },
"status": { "status": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"tags": { "tags": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"template": { "template": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"title": { "title": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"tlp": { "tlp": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"userId": { "userId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
} }
} }
}, },
"comment": { "comment": {
"properties": { "properties": {
"caseId": { "caseId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"createTime": { "createTime": {
"type": "date" "type": "date"
}, },
"description": { "description": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"userId": { "userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
}
}
},
"operation": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
} }
} }
}, },
"related": { "related": {
"properties": { "properties": {
"caseId": { "caseId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"createTime": { "createTime": {
"type": "date" "type": "date"
}, },
"fields": { "fields": {
"properties": { "properties": {
"@timestamp": {
"type": "date"
},
"event": { "event": {
"properties": { "properties": {
"dataset": { "dataset": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"index": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
},
"module": {
"type": "keyword",
"ignore_above": 1024
},
"category": {
"type": "keyword",
"ignore_above": 1024
} }
} }
}, },
"message": { "message": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_score": {
"type": "long"
},
"soc_source": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_timestamp": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"tags": { "tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timestamp": {
"type": "date"
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
} }
} }
}, },
"userId": { "userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"so_audit_doc_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
} }
} }
} }