CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add system.system component templates

Browse Source
This commit is contained in:
Wes
2023-06-14 13:29:11 +00:00
parent c2ac60b82e
commit 48331ce35b
2 changed files with 998 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json Normal file
View File

@@ -0,0 +1,12 @@
{
"template": {
"settings": {}
},
"_meta": {
"package": {
"name": "elastic_agent"
},
"managed_by": "fleet",
"managed": true
}
}

986
salt/elasticsearch/templates/component/elastic-agent/logs-system.system@package.json Normal file
View File

@@ -0,0 +1,986 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"default_pipeline": "logs-system.system-1.6.4",
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"query": {
"default_field": [
"cloud.account.id",
"cloud.availability_zone",
"cloud.instance.id",
"cloud.instance.name",
"cloud.machine.type",
"cloud.provider",
"cloud.region",
"cloud.project.id",
"cloud.image.id",
"container.id",
"container.image.name",
"container.name",
"host.architecture",
"host.hostname",
"host.id",
"host.mac",
"host.name",
"host.os.family",
"host.os.kernel",
"host.os.name",
"host.os.platform",
"host.os.version",
"host.os.build",
"host.os.codename",
"host.type",
"event.action",
"event.category",
"event.code",
"event.kind",
"event.original",
"event.outcome",
"event.provider",
"event.type",
"error.message",
"message",
"winlog.api",
"winlog.activity_id",
"winlog.computer_name",
"winlog.event_data.AuthenticationPackageName",
"winlog.event_data.Binary",
"winlog.event_data.BitlockerUserInputTime",
"winlog.event_data.BootMode",
"winlog.event_data.BootType",
"winlog.event_data.BuildVersion",
"winlog.event_data.Company",
"winlog.event_data.CorruptionActionState",
"winlog.event_data.CreationUtcTime",
"winlog.event_data.Description",
"winlog.event_data.Detail",
"winlog.event_data.DeviceName",
"winlog.event_data.DeviceNameLength",
"winlog.event_data.DeviceTime",
"winlog.event_data.DeviceVersionMajor",
"winlog.event_data.DeviceVersionMinor",
"winlog.event_data.DriveName",
"winlog.event_data.DriverName",
"winlog.event_data.DriverNameLength",
"winlog.event_data.DwordVal",
"winlog.event_data.EntryCount",
"winlog.event_data.ExtraInfo",
"winlog.event_data.FailureName",
"winlog.event_data.FailureNameLength",
"winlog.event_data.FileVersion",
"winlog.event_data.FinalStatus",
"winlog.event_data.Group",
"winlog.event_data.IdleImplementation",
"winlog.event_data.IdleStateCount",
"winlog.event_data.ImpersonationLevel",
"winlog.event_data.IntegrityLevel",
"winlog.event_data.IpAddress",
"winlog.event_data.IpPort",
"winlog.event_data.KeyLength",
"winlog.event_data.LastBootGood",
"winlog.event_data.LastShutdownGood",
"winlog.event_data.LmPackageName",
"winlog.event_data.LogonGuid",
"winlog.event_data.LogonId",
"winlog.event_data.LogonProcessName",
"winlog.event_data.LogonType",
"winlog.event_data.MajorVersion",
"winlog.event_data.MaximumPerformancePercent",
"winlog.event_data.MemberName",
"winlog.event_data.MemberSid",
"winlog.event_data.MinimumPerformancePercent",
"winlog.event_data.MinimumThrottlePercent",
"winlog.event_data.MinorVersion",
"winlog.event_data.NewProcessId",
"winlog.event_data.NewProcessName",
"winlog.event_data.NewSchemeGuid",
"winlog.event_data.NewTime",
"winlog.event_data.NominalFrequency",
"winlog.event_data.Number",
"winlog.event_data.OldSchemeGuid",
"winlog.event_data.OldTime",
"winlog.event_data.OriginalFileName",
"winlog.event_data.Path",
"winlog.event_data.PerformanceImplementation",
"winlog.event_data.PreviousCreationUtcTime",
"winlog.event_data.PreviousTime",
"winlog.event_data.PrivilegeList",
"winlog.event_data.ProcessId",
"winlog.event_data.ProcessName",
"winlog.event_data.ProcessPath",
"winlog.event_data.ProcessPid",
"winlog.event_data.Product",
"winlog.event_data.PuaCount",
"winlog.event_data.PuaPolicyId",
"winlog.event_data.QfeVersion",
"winlog.event_data.Reason",
"winlog.event_data.SchemaVersion",
"winlog.event_data.ScriptBlockText",
"winlog.event_data.ServiceName",
"winlog.event_data.ServiceVersion",
"winlog.event_data.ShutdownActionType",
"winlog.event_data.ShutdownEventCode",
"winlog.event_data.ShutdownReason",
"winlog.event_data.Signature",
"winlog.event_data.SignatureStatus",
"winlog.event_data.Signed",
"winlog.event_data.StartTime",
"winlog.event_data.State",
"winlog.event_data.Status",
"winlog.event_data.StopTime",
"winlog.event_data.SubjectDomainName",
"winlog.event_data.SubjectLogonId",
"winlog.event_data.SubjectUserName",
"winlog.event_data.SubjectUserSid",
"winlog.event_data.TSId",
"winlog.event_data.TargetDomainName",
"winlog.event_data.TargetInfo",
"winlog.event_data.TargetLogonGuid",
"winlog.event_data.TargetLogonId",
"winlog.event_data.TargetServerName",
"winlog.event_data.TargetUserName",
"winlog.event_data.TargetUserSid",
"winlog.event_data.TerminalSessionId",
"winlog.event_data.TokenElevationType",
"winlog.event_data.TransmittedServices",
"winlog.event_data.UserSid",
"winlog.event_data.Version",
"winlog.event_data.Workstation",
"winlog.event_data.param1",
"winlog.event_data.param2",
"winlog.event_data.param3",
"winlog.event_data.param4",
"winlog.event_data.param5",
"winlog.event_data.param6",
"winlog.event_data.param7",
"winlog.event_data.param8",
"winlog.event_id",
"winlog.keywords",
"winlog.channel",
"winlog.record_id",
"winlog.related_activity_id",
"winlog.opcode",
"winlog.provider_guid",
"winlog.provider_name",
"winlog.task",
"winlog.user.identifier",
"winlog.user.name",
"winlog.user.domain",
"winlog.user.type"
]
}
}
},
"mappings": {
"dynamic_templates": [
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"winlog.user_data": {
"path_match": "winlog.user_data.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"winlog": {
"properties": {
"related_activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"computer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"properties": {
"pid": {
"type": "long"
},
"thread": {
"properties": {
"id": {
"type": "long"
}
}
}
}
},
"keywords": {
"ignore_above": 1024,
"type": "keyword"
},
"channel": {
"ignore_above": 1024,
"type": "keyword"
},
"event_data": {
"properties": {
"SignatureStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginalFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"BootMode": {
"ignore_above": 1024,
"type": "keyword"
},
"Product": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"FileVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"StopTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"CorruptionActionState": {
"ignore_above": 1024,
"type": "keyword"
},
"KeyLength": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousCreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"PerformanceImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"Group": {
"ignore_above": 1024,
"type": "keyword"
},
"Description": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownActionType": {
"ignore_above": 1024,
"type": "keyword"
},
"DwordVal": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPid": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMajor": {
"ignore_above": 1024,
"type": "keyword"
},
"ScriptBlockText": {
"ignore_above": 1024,
"type": "keyword"
},
"TransmittedServices": {
"ignore_above": 1024,
"type": "keyword"
},
"MaximumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"NewTime": {
"ignore_above": 1024,
"type": "keyword"
},
"FinalStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleStateCount": {
"ignore_above": 1024,
"type": "keyword"
},
"MajorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"Path": {
"ignore_above": 1024,
"type": "keyword"
},
"SchemaVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"TokenElevationType": {
"ignore_above": 1024,
"type": "keyword"
},
"MinorVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"IdleImplementation": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessPath": {
"ignore_above": 1024,
"type": "keyword"
},
"QfeVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceVersionMinor": {
"ignore_above": 1024,
"type": "keyword"
},
"OldTime": {
"ignore_above": 1024,
"type": "keyword"
},
"IpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceName": {
"ignore_above": 1024,
"type": "keyword"
},
"Company": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaPolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"IntegrityLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"LastShutdownGood": {
"ignore_above": 1024,
"type": "keyword"
},
"IpPort": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"LmPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"UserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"LastBootGood": {
"ignore_above": 1024,
"type": "keyword"
},
"PuaCount": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"Signed": {
"ignore_above": 1024,
"type": "keyword"
},
"StartTime": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownEventCode": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"ServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"PreviousTime": {
"ignore_above": 1024,
"type": "keyword"
},
"State": {
"ignore_above": 1024,
"type": "keyword"
},
"BootType": {
"ignore_above": 1024,
"type": "keyword"
},
"Binary": {
"ignore_above": 1024,
"type": "keyword"
},
"ImpersonationLevel": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"Detail": {
"ignore_above": 1024,
"type": "keyword"
},
"TerminalSessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"MemberSid": {
"ignore_above": 1024,
"type": "keyword"
},
"DriverName": {
"ignore_above": 1024,
"type": "keyword"
},
"DeviceNameLength": {
"ignore_above": 1024,
"type": "keyword"
},
"OldSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationUtcTime": {
"ignore_above": 1024,
"type": "keyword"
},
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"ShutdownReason": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetServerName": {
"ignore_above": 1024,
"type": "keyword"
},
"Number": {
"ignore_above": 1024,
"type": "keyword"
},
"BuildVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumPerformancePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"TSId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetDomainName": {
"ignore_above": 1024,
"type": "keyword"
},
"PrivilegeList": {
"ignore_above": 1024,
"type": "keyword"
},
"param7": {
"ignore_above": 1024,
"type": "keyword"
},
"param8": {
"ignore_above": 1024,
"type": "keyword"
},
"param5": {
"ignore_above": 1024,
"type": "keyword"
},
"param6": {
"ignore_above": 1024,
"type": "keyword"
},
"DriveName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"ExtraInfo": {
"ignore_above": 1024,
"type": "keyword"
},
"param3": {
"ignore_above": 1024,
"type": "keyword"
},
"param4": {
"ignore_above": 1024,
"type": "keyword"
},
"param1": {
"ignore_above": 1024,
"type": "keyword"
},
"param2": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetLogonId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workstation": {
"ignore_above": 1024,
"type": "keyword"
},
"SubjectUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"FailureName": {
"ignore_above": 1024,
"type": "keyword"
},
"NewSchemeGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"Signature": {
"ignore_above": 1024,
"type": "keyword"
},
"MinimumThrottlePercent": {
"ignore_above": 1024,
"type": "keyword"
},
"ProcessId": {
"ignore_above": 1024,
"type": "keyword"
},
"EntryCount": {
"ignore_above": 1024,
"type": "keyword"
},
"BitlockerUserInputTime": {
"ignore_above": 1024,
"type": "keyword"
},
"AuthenticationPackageName": {
"ignore_above": 1024,
"type": "keyword"
},
"NominalFrequency": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"opcode": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"type": "long"
},
"record_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"task": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"activity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"api": {
"ignore_above": 1024,
"type": "keyword"
},
"provider_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"properties": {
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"build": {
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"codename": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "text"
}
}
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"containerized": {
"type": "boolean"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"type": "constant_keyword",
"value": "system"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"type": "constant_keyword",
"value": "system.system"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"error": {
"properties": {
"message": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
}
}
}
},
"_meta": {
"package": {
"name": "system"
},
"managed_by": "fleet",
"managed": true
}
}