From 46dd4c2749e376c94d3827aad8f5a24e8ebd7ce8 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 20 Sep 2022 20:33:06 +0000 Subject: [PATCH] Rename component mappings and references for Security Onion --- salt/elasticsearch/defaults.yaml | 44 ++++++++--------- .../so-fleet_agent_id_verification-1.json | 40 +++++++++++++++- .../elastic-agent/so-fleet_globals-1.json | 47 +++++++++++++++++-- 3 files changed, 104 insertions(+), 27 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index a14c03e2d..37eab28a0 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -80,8 +80,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.apm_server@package" - "so-logs-elastic_agent.apm_server@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -114,8 +114,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.auditbeat@package" - "so-logs-elastic_agent.auditbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -148,8 +148,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.cloudbeat@package" - "so-logs-elastic_agent.cloudbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -182,8 +182,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.endpoint_security@package" - "so-logs-elastic_agent.endpoint_security@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -216,8 +216,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.filebeat@package" - "so-logs-elastic_agent.filebeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -250,8 +250,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.fleet_server@package" - "so-logs-elastic_agent.fleet_server@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -284,8 +284,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.heartbeat@package" - "so-logs-elastic_agent.heartbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -318,8 +318,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent@package" - "so-logs-elastic_agent@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -352,8 +352,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.metricbeat@package" - "so-logs-elastic_agent.metricbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -386,8 +386,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.osquerybeat@package" - "so-logs-elastic_agent.osquerybeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: @@ -420,8 +420,8 @@ elasticsearch: composed_of: - "so-logs-elastic_agent.packetbeat@package" - "so-logs-elastic_agent.packetbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" priority: 500 _meta: package: diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json index e3b768ae3..cac2cd8ee 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json @@ -1,10 +1,48 @@ { "component_templates": [ { - "name": ".fleet_agent_id_verification-1", + "name": "so-fleet_agent_id_verification-1", "component_template": { "template": { "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, "index": { "final_pipeline": ".fleet_final_pipeline-1" } diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json index 002529d01..5e569846c 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json @@ -1,13 +1,52 @@ { "component_templates": [ { - "name": ".fleet_globals-1", + "name": "so-fleet_globals-1", "component_template": { "template": { - "settings": {}, + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "_meta": { - "managed_by": "fleet", + "managed_by": "security_onion", "managed": true }, "dynamic_templates": [ @@ -25,7 +64,7 @@ } }, "_meta": { - "managed_by": "fleet", + "managed_by": "security_onion", "managed": true } }