From 31d22e717d595d7c615809e366c5166d5f7f2b39 Mon Sep 17 00:00:00 2001 From: abesinger Date: Wed, 19 Jan 2022 18:45:26 -0600 Subject: [PATCH 01/15] Updated syslog pipeline, resolves #6912. Also cleaned up formatting to make it more readable. --- salt/elasticsearch/files/ingest/syslog | 170 ++++++++++++++++++++----- 1 file changed, 141 insertions(+), 29 deletions(-) diff --git a/salt/elasticsearch/files/ingest/syslog b/salt/elasticsearch/files/ingest/syslog index 367dcebe7..91b14d6f4 100644 --- a/salt/elasticsearch/files/ingest/syslog +++ b/salt/elasticsearch/files/ingest/syslog @@ -2,35 +2,147 @@ "description" : "syslog", "processors" : [ { - "dissect": { - "field": "message", - "pattern" : "%{message}", - "on_failure": [ { "drop" : { } } ] + "dissect": { + "field": "message", + "pattern" : "%{message}", + "on_failure": [ { "drop" : { } } ] + }, + "remove": { + "field": [ "type", "agent" ], + "ignore_failure": true + } + }, { + "grok": { + "field": "message", + "patterns": [ + "^<%{INT:syslog.priority:int}>%{TIMESTAMP_ISO8601:syslog.timestamp} +%{IPORHOST:syslog.host} +%{PROG:syslog.program}(?:\\[%{POSINT:syslog.pid:int}\\])?: %{GREEDYDATA:real_message}$", + + "^<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}(\\[%{DATA:pid}\\])?: %{GREEDYDATA:real_message}$", + + "^%{SYSLOGTIMESTAMP:syslog.timestamp} %{SYSLOGHOST:syslog.host} %{SYSLOGPROG:syslog.program}: CEF:0\\|%{DATA:vendor}\\|%{DATA:product}\\|%{GREEDYDATA:message2}$" + ], + "ignore_failure": true + } + }, { + "script": { + "description": "Map syslog priority into facility and level", + "lang": "painless", + "params" : { + "level": [ + "emerg", + "alert", + "crit", + "err", + "warn", + "notice", + "info", + "debug" + ], + "facility" : [ + "kern", + "user", + "mail", + "daemon", + "auth", + "syslog", + "lpr", + "news", + "uucp", + "cron", + "authpriv", + "ftp", + "ntp", + "security", + "console", + "solaris-cron", + "local0", + "local1", + "local2", + "local3", + "local4", + "local5", + "local6", + "local7" + ] }, - "remove": { - "field": [ "type", "agent" ], - "ignore_failure": true - } - }, - { - "grok": - { - "field": "message", - "patterns": [ - "^<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}(\\[%{DATA:pid}\\])?: %{GREEDYDATA:real_message}$", - "^%{SYSLOGTIMESTAMP:syslog.timestamp} %{SYSLOGHOST:syslog.host} %{SYSLOGPROG:syslog.program}: CEF:0\\|%{DATA:vendor}\\|%{DATA:product}\\|%{GREEDYDATA:message2}$" - ], - "ignore_failure": true - } - }, - { "set": { "if": "ctx.source?.application == 'filterlog'", "field": "dataset", "value": "firewall", "ignore_failure": true } }, - { "set": { "if": "ctx.vendor != null", "field": "module", "value": "{{ vendor }}", "ignore_failure": true } }, - { "set": { "if": "ctx.product != null", "field": "dataset", "value": "{{ product }}", "ignore_failure": true } }, - { "set": { "field": "ingest.timestamp", "value": "{{ @timestamp }}" } }, - { "date": { "if": "ctx.syslog?.timestamp != null", "field": "syslog.timestamp", "target_field": "@timestamp", "formats": ["MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601", "UNIX"], "ignore_failure": true } }, - { "remove": { "field": ["pid", "program"], "ignore_missing": true, "ignore_failure": true } }, - { "pipeline": { "if": "ctx.vendor != null && ctx.product != null", "name": "{{ vendor }}.{{ product }}", "ignore_failure": true } }, - { "pipeline": { "if": "ctx.dataset == 'firewall'", "name": "filterlog", "ignore_failure": true } }, - { "pipeline": { "name": "common" } } + "source": "if (ctx['syslog'] != null && ctx['syslog']['priority'] != null) { int p = ctx['syslog']['priority']; int f = p / 8; int l = p - (f * 8); ctx['syslog']['facility'] = [ : ]; ctx['syslog']['level'] = [ : ]; ctx['syslog']['level'].put('code', l); ctx['syslog']['level'].put('name', params.level[l]); ctx['syslog']['facility'].put('code', f); ctx['syslog']['facility'].put('name', params.facility[f]); }" + } + }, { + "set": { + "if": "ctx.syslog?.host != null", + "field": "host.name", + "value": "{{ syslog.host }}", + "ignore_failure": true + } + }, { + "set": { + "if": "ctx.syslog?.program != null", + "field": "process.name", + "value": "{{ syslog.program }}", + "ignore_failure": true + } + }, { + "set": { + "if": "ctx.syslog?.pid != null", + "field": "process.id", + "value": "{{ syslog.pid }}", + "ignore_failure": true + } + }, { + "set": { + "if": "ctx.source?.application == 'filterlog'", + "field": "dataset", + "value": "firewall", + "ignore_failure": true + } + }, { + "set": { + "if": "ctx.vendor != null", + "field": "module", + "value": "{{ vendor }}", + "ignore_failure": true + } + }, { + "set": { + "if": "ctx.product != null", + "field": "dataset", + "value": "{{ product }}", + "ignore_failure": true + } + }, { + "set": { + "field": "ingest.timestamp", + "value": "{{ @timestamp }}" + } + }, { + "date": { + "if": "ctx.syslog?.timestamp != null", + "field": "syslog.timestamp", + "target_field": "@timestamp", + "formats": ["MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601", "UNIX"], + "ignore_failure": true + } + }, { + "remove": { + "field": ["pid", "program"], + "ignore_missing": true, + "ignore_failure": true + } + }, { + "pipeline": { + "if": "ctx.vendor != null && ctx.product != null", + "name": "{{ vendor }}.{{ product }}", + "ignore_failure": true + } + }, { + "pipeline": { + "if": "ctx.dataset == 'firewall'", + "name": "filterlog", + "ignore_failure": true + } + }, { + "pipeline": { "name": "common" } + } ] } + From f7862af934f3fbde4031edc2fa3d4297c80b1132 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 22 Feb 2022 20:33:49 +0000 Subject: [PATCH 02/15] Switch from .security to match_only_text --- .../templates/component/ecs/agent.json | 44 +- .../templates/component/ecs/aws.json | 581 +++- .../templates/component/ecs/azure.json | 798 +++++- .../templates/component/ecs/base.json | 9 +- .../templates/component/ecs/cef.json | 1036 ++++++-- .../templates/component/ecs/checkpoint.json | 2331 ++++++++++++++--- .../templates/component/ecs/cisco.json | 707 ++++- .../templates/component/ecs/client.json | 170 +- .../templates/component/ecs/cloud.json | 79 +- .../templates/component/ecs/container.json | 37 +- .../templates/component/ecs/cyberark.json | 434 ++- .../templates/component/ecs/data_stream.json | 2 +- .../templates/component/ecs/destination.json | 170 +- .../templates/component/ecs/dll.json | 135 +- .../templates/component/ecs/dns.json | 107 +- .../templates/component/ecs/ecs.json | 9 +- .../component/ecs/elasticsearch.json | 9 +- .../templates/component/ecs/error.json | 23 +- .../templates/component/ecs/event.json | 121 +- .../templates/component/ecs/file.json | 492 +++- .../templates/component/ecs/fortinet.json | 2121 ++++++++++++--- .../templates/component/ecs/gcp.json | 287 +- .../component/ecs/google_workspace.json | 840 +++++- .../templates/component/ecs/group.json | 23 +- .../templates/component/ecs/host.json | 212 +- .../templates/component/ecs/http.json | 44 +- .../templates/component/ecs/juniper.json | 490 +++- .../templates/component/ecs/kibana.json | 84 +- .../templates/component/ecs/log.json | 58 +- .../templates/component/ecs/logstash.json | 42 +- .../templates/component/ecs/microsoft.json | 364 ++- .../templates/component/ecs/misp.json | 357 ++- .../templates/component/ecs/netflow.json | 329 ++- .../templates/component/ecs/network.json | 86 +- .../templates/component/ecs/o365.json | 602 ++++- .../templates/component/ecs/observer.json | 247 +- .../templates/component/ecs/okta.json | 322 ++- .../templates/component/ecs/orchestrator.json | 65 +- .../templates/component/ecs/organization.json | 9 +- .../templates/component/ecs/package.json | 79 +- .../templates/component/ecs/process.json | 534 +++- .../templates/component/ecs/redis.json | 28 +- .../templates/component/ecs/registry.json | 44 +- .../templates/component/ecs/related.json | 23 +- .../templates/component/ecs/rule.json | 72 +- .../templates/component/ecs/server.json | 170 +- .../templates/component/ecs/service.json | 65 +- .../templates/component/ecs/snyk.json | 126 +- .../templates/component/ecs/sophos.json | 966 ++++++- .../templates/component/ecs/source.json | 170 +- .../templates/component/ecs/suricata.json | 476 +++- .../templates/component/ecs/syslog.json | 14 +- .../templates/component/ecs/threat.json | 1885 +++++++++++-- .../templates/component/ecs/tls.json | 443 +++- .../templates/component/ecs/tracing.json | 23 +- .../templates/component/ecs/url.json | 72 +- .../templates/component/ecs/user.json | 226 +- .../templates/component/ecs/user_agent.json | 58 +- .../component/ecs/vulnerability.json | 65 +- .../templates/component/ecs/winlog.json | 938 ++++++- .../templates/component/ecs/zeek.json | 2135 ++++++++++++--- .../component/so/common-dynamic-mappings.json | 99 +- 62 files changed, 19298 insertions(+), 3289 deletions(-) diff --git a/salt/elasticsearch/templates/component/ecs/agent.json b/salt/elasticsearch/templates/component/ecs/agent.json index 4c7f8738e..656237f47 100644 --- a/salt/elasticsearch/templates/component/ecs/agent.json +++ b/salt/elasticsearch/templates/component/ecs/agent.json @@ -12,33 +12,63 @@ "properties": { "original": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "ephemeral_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/aws.json b/salt/elasticsearch/templates/component/ecs/aws.json index ccea31e27..10c7dd45b 100644 --- a/salt/elasticsearch/templates/component/ecs/aws.json +++ b/salt/elasticsearch/templates/component/ecs/aws.json @@ -22,7 +22,12 @@ }, "api_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "console_login": { "properties": { @@ -30,7 +35,12 @@ "properties": { "login_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mfa_used": { "type": "boolean" @@ -58,27 +68,57 @@ }, "previous_hash_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "previous_s3_bucket": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_fingerprint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "s3_bucket": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "s3_object": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "start_time": { "type": "date" @@ -87,23 +127,48 @@ }, "error_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "error_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "flattened": { "properties": { @@ -126,19 +191,39 @@ }, "management_event": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "read_only": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "recipient_account_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request_parameters": { "fields": { @@ -154,15 +239,30 @@ "properties": { "account_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -188,21 +288,41 @@ }, "shared_event_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_identity": { "properties": { "access_key_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "invoked_by": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_context": { "properties": { @@ -211,25 +331,50 @@ }, "mfa_authenticated": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_issuer": { "properties": { "account_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "principal_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -237,13 +382,23 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "vpc_endpoint_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -259,7 +414,12 @@ "properties": { "ip_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -267,7 +427,12 @@ "properties": { "action_executed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "backend": { "properties": { @@ -277,7 +442,12 @@ "properties": { "status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -285,11 +455,21 @@ }, "ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "port": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -304,21 +484,41 @@ "properties": { "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "serial": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "classification_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connection_time": { "properties": { @@ -331,33 +531,68 @@ "properties": { "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "incoming_tls_alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "listener": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "matched_rule_priority": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "redirect_url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request_processing_time": { "properties": { @@ -375,27 +610,52 @@ }, "ssl_cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssl_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target_group": { "properties": { "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "target_port": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target_status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tls_handshake_time": { "properties": { @@ -406,15 +666,30 @@ }, "tls_named_group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "trace_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -422,75 +697,150 @@ "properties": { "authentication_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "bucket": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "bucket_owner": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "bytes_sent": { "type": "long" }, "cipher_suite": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "error_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "host_header": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "host_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_status": { "type": "long" }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "object_size": { "type": "long" }, "operation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "referrer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "remote_ip": { "type": "ip" }, "request_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request_uri": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "requester": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tls_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "total_time": { "type": "long" @@ -500,11 +850,21 @@ }, "user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -512,23 +872,48 @@ "properties": { "account_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "instance_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "interface_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "log_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "pkt_dstaddr": { "type": "ip" @@ -538,27 +923,57 @@ }, "subnet_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tcp_flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tcp_flags_array": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vpc_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/azure.json b/salt/elasticsearch/templates/component/ecs/azure.json index 5e1acaae5..d9a3adc70 100644 --- a/salt/elasticsearch/templates/component/ecs/azure.json +++ b/salt/elasticsearch/templates/component/ecs/azure.json @@ -12,11 +12,21 @@ "properties": { "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identity": { "properties": { @@ -24,39 +34,79 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "evidence": { "properties": { "principal_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "principal_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "role_assignment_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "role_assignment_scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "role_definition_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -71,23 +121,48 @@ "properties": { "fullname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "givenname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "schema": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "surname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -95,18 +170,33 @@ }, "operation_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "properties": { "type": "flattened" }, "result_signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -114,19 +204,39 @@ "properties": { "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "properties": { "properties": { @@ -135,19 +245,39 @@ }, "activity_display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "correlation_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "initiated_by": { "properties": { @@ -155,19 +285,39 @@ "properties": { "appId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "displayName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "servicePrincipalId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "servicePrincipalName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -175,19 +325,39 @@ "properties": { "displayName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ipAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "userPrincipalName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -195,19 +365,39 @@ }, "logged_by_service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target_resources": { "properties": { @@ -215,15 +405,30 @@ "properties": { "display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ip_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "modified_properties": { "properties": { @@ -231,15 +436,30 @@ "properties": { "display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -247,11 +467,21 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_principal_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -261,28 +491,53 @@ }, "result_signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "consumer_group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "correlation_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "enqueued_time": { "type": "date" }, "eventhub": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "offset": { "type": "long" @@ -294,58 +549,123 @@ "properties": { "ActivityId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Caller": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Cloud": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Environment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "EventTimeString": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ScaleUnit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ccpNamespace": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "properties": { "type": "flattened" }, "result_signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -353,27 +673,57 @@ "properties": { "authorization_rule": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "namespace": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -384,84 +734,169 @@ "properties": { "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "properties": { "properties": { "app_display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authentication_processing_details": { "type": "flattened" }, "authentication_requirement": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authentication_requirement_policies": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "autonomous_system_number": { "type": "long" }, "client_app_used": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "conditional_access_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "correlation_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "created_at": { "type": "date" }, "cross_tenant_access_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "device_detail": { "properties": { "browser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "device_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operating_system": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "trust_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -470,11 +905,21 @@ }, "home_tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "is_interactive": { "type": "boolean" @@ -484,58 +929,123 @@ }, "original_request_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "processing_time_ms": { "type": "float" }, "resource_display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resource_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resource_tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "risk_detail": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "risk_event_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "risk_event_types_v2": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "risk_level_aggregated": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "risk_level_during_signin": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "risk_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "service_principal_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "service_principal_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sso_extension_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "properties": { @@ -546,55 +1056,115 @@ }, "token_issuer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "token_issuer_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_principal_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "result_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result_signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "subscription_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/base.json b/salt/elasticsearch/templates/component/ecs/base.json index f409ed95a..77594f68d 100644 --- a/salt/elasticsearch/templates/component/ecs/base.json +++ b/salt/elasticsearch/templates/component/ecs/base.json @@ -17,9 +17,14 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/cef.json b/salt/elasticsearch/templates/component/ecs/cef.json index 376fbf26a..40911af50 100644 --- a/salt/elasticsearch/templates/component/ecs/cef.json +++ b/salt/elasticsearch/templates/component/ecs/cef.json @@ -12,19 +12,39 @@ "properties": { "event_class_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -32,68 +52,138 @@ "properties": { "Reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentAddress": { "type": "ip" }, "agentDnsDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentHostName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentMacAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentNtDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentReceiptTime": { "type": "date" }, "agentTimeZone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentTranslatedAddress": { "type": "ip" }, "agentTranslatedZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentTranslatedZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agentZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "applicationProtocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "baseEventCount": { "type": "long" @@ -106,54 +196,114 @@ }, "categoryBehavior": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "categoryDeviceGroup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "categoryDeviceType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "categoryObject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "categoryOutcome": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "categorySignificance": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "categoryTechnique": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cp_app_risk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cp_severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "customerExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "customerURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationAddress": { "type": "ip" }, "destinationDnsDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationGeoLatitude": { "type": "double" @@ -163,15 +313,30 @@ }, "destinationHostName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationMacAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationNtDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationPort": { "type": "long" @@ -181,11 +346,21 @@ }, "destinationProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationServiceName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationTranslatedAddress": { "type": "ip" @@ -195,35 +370,75 @@ }, "destinationTranslatedZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationTranslatedZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationUserName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationUserPrivileges": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destinationZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceAction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceAddress": { "type": "ip" @@ -233,229 +448,444 @@ }, "deviceCustomDate1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomDate2": { "type": "date" }, "deviceCustomDate2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomFloatingPoint1": { "type": "double" }, "deviceCustomFloatingPoint1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomFloatingPoint2": { "type": "double" }, "deviceCustomFloatingPoint2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomFloatingPoint3": { "type": "double" }, "deviceCustomFloatingPoint3Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomFloatingPoint4": { "type": "double" }, "deviceCustomFloatingPoint4Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomIPv6Address1": { "type": "ip" }, "deviceCustomIPv6Address1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomIPv6Address2": { "type": "ip" }, "deviceCustomIPv6Address2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomIPv6Address3": { "type": "ip" }, "deviceCustomIPv6Address3Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomIPv6Address4": { "type": "ip" }, "deviceCustomIPv6Address4Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomNumber1": { "type": "long" }, "deviceCustomNumber1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomNumber2": { "type": "long" }, "deviceCustomNumber2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomNumber3": { "type": "long" }, "deviceCustomNumber3Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString2": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString3": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString3Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString4": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString4Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString5Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString6": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceCustomString6Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceDirection": { "type": "long" }, "deviceDnsDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceEventCategory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceExternalId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceFacility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceFlexNumber1": { "type": "long" }, "deviceFlexNumber1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceFlexNumber2": { "type": "long" }, "deviceFlexNumber2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceHostName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceInboundInterface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceMacAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceNtDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceOutboundInterface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "devicePayloadId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceProcessId": { "type": "long" }, "deviceProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceReceiptTime": { "type": "date" }, "deviceTimeZone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceTranslatedAddress": { "type": "ip" }, "deviceTranslatedZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceTranslatedZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "endTime": { "type": "date" @@ -465,210 +895,435 @@ }, "eventOutcome": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "externalId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fileCreateTime": { "type": "date" }, "fileHash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fileId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fileModificationTime": { "type": "date" }, "filePath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filePermission": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fileSize": { "type": "long" }, "fileType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "flexDate1": { "type": "date" }, "flexDate1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "flexString1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "flexString1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "flexString2": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "flexString2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ifname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "inzone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "layer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "layer_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "logid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "loguid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "managerReceiptTime": { "type": "date" }, "match_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat_addtnl_rulenum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat_rulenum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldFileCreateTime": { "type": "date" }, "oldFileHash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldFileId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldFileModificationTime": { "type": "date" }, "oldFileName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldFilePath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldFilePermission": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldFileSize": { "type": "long" }, "oldFileType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "origin": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "originsicname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "outzone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "parent_rule": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rawEvent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "requestClientApplication": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "requestContext": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "requestCookies": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "requestMethod": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "requestUrl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rule_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rule_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sequencenum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "service_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceAddress": { "type": "ip" }, "sourceDnsDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceGeoLatitude": { "type": "double" @@ -678,15 +1333,30 @@ }, "sourceHostName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceMacAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceNtDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourcePort": { "type": "long" @@ -696,11 +1366,21 @@ }, "sourceProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceServiceName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceTranslatedAddress": { "type": "ip" @@ -710,59 +1390,119 @@ }, "sourceTranslatedZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceTranslatedZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceUserName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceUserPrivileges": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "startTime": { "type": "date" }, "transportProtocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "type": "long" }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/checkpoint.json b/salt/elasticsearch/templates/component/ecs/checkpoint.json index bb2f8f6de..52a8c0e4c 100644 --- a/salt/elasticsearch/templates/component/ecs/checkpoint.json +++ b/salt/elasticsearch/templates/component/ecs/checkpoint.json @@ -13,276 +13,576 @@ }, "action_reason_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "additional_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "additional_ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "additional_rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "allocated_ports": { "type": "long" }, "analyzed_on": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "answer_rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "anti_virus_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_id": { "type": "long" }, "app_package": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_properties": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_repackaged": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_risk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_sid_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_sig_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "appi_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "arrival_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attachments_num": { "type": "long" }, "attack_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "audit_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "auth_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authority_rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authorization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "bcc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "blade_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "broker_publisher": { "type": "ip" }, "browse_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "c_bytes": { "type": "long" }, "calc_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "capacity": { "type": "long" }, "capture_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "certificate_resource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "certificate_validation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cgnet": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "chunk_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_type_os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cluster_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "community": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "confidence_level": { "type": "long" }, "connection_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connectivity_level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connectivity_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "conns_amount": { "type": "long" }, "content_disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "content_length": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "content_risk": { "type": "long" }, "content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "context_num": { "type": "long" }, "cookie": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cookieI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cookieR": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cp_message": { "type": "long" }, "cvpn_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cvpn_resource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "data_type_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dce-rpc_interface_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "delivery_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destination_object": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "detected_on": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "developer_certificate_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "diameter_app_ID": { "type": "long" @@ -292,54 +592,114 @@ }, "diameter_msg_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_action_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_additional_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_categories": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_data_type_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_data_type_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_fingerprint_files_number": { "type": "long" }, "dlp_fingerprint_long_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_fingerprint_short_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_incident_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_recipients": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_related_incident_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_relevant_data_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_repository_directories_number": { "type": "long" @@ -349,7 +709,12 @@ }, "dlp_repository_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_repository_not_scanned_directories_percentage": { "type": "long" @@ -359,7 +724,12 @@ }, "dlp_repository_root_path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_repository_scan_progress": { "type": "long" @@ -384,55 +754,120 @@ }, "dlp_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_template_score": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_transint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_violation_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_watermark_profile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dlp_word_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dns_query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "drop_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dropped_file_hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dropped_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dropped_file_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dropped_file_verdict": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dropped_incoming": { "type": "long" @@ -448,204 +883,444 @@ }, "dst_country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_phone_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstkeyid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "duplicate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "duration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "elapsed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_content": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_control": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_control_analysis": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_headers": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_queue_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_queue_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_recipients_num": { "type": "long" }, "email_session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_spam_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_spool_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email_subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "emulated_on": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "encryption_failure": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "end_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "end_user_firewall_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "esod_access_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "esod_associated_policies": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "esod_noncompliance_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "esod_rule_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "esod_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "esod_rule_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "esod_scan_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_count": { "type": "long" }, "expire_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extension_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extracted_file_hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extracted_file_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extracted_file_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extracted_file_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extracted_file_verdict": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "failure_impact": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "failure_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "files_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "first_hit_time": { "type": "long" }, "frequency": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fs-proto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ftp_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fw_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fw_subproduct": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hide_ip": { "type": "ip" @@ -655,53 +1330,108 @@ }, "host_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_location": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "https_inspection_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "https_inspection_rule_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "https_inspection_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "https_validation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icap_more_info": { "type": "long" }, "icap_server_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icap_server_service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icap_service_id": { "type": "long" }, "icmp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp_code": { "type": "long" @@ -714,67 +1444,147 @@ }, "identity_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ike": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ike_ids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "impacted_files": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incident_extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "indicator_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "indicator_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "indicator_reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "indicator_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "information": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "inspection_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "inspection_item": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "inspection_profile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "inspection_settings_log": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "installed_products": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "int_end": { "type": "long" @@ -784,15 +1594,30 @@ }, "integrity_av_invoke_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "interface_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "internal_error": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "invalid_file_size": { "type": "long" @@ -802,22 +1627,42 @@ }, "isp_link": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_hit_time": { "type": "long" }, "last_rematch_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "layer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "layer_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "limit_applied": { "type": "long" @@ -827,7 +1672,12 @@ }, "link_probing_status_update": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "links_num": { "type": "long" @@ -840,19 +1690,39 @@ }, "logid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "long_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "machine": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "malware_family": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "match_fk": { "type": "long" @@ -862,7 +1732,12 @@ }, "matched_file": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "matched_file_percentage": { "type": "long" @@ -872,109 +1747,234 @@ }, "media_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message_size": { "type": "long" }, "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "methods": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mime_from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mime_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mirror_and_decrypt_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_collection": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_command_and_control": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_credential_access": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_defense_evasion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_discovery": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_execution": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_exfiltration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_impact": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_initial_access": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_lateral_movement": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_persistence": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_privilege_escalation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "monitor_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "msgid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat46": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat_addtnl_rulenum": { "type": "long" }, "nat_exhausted_pool": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat_rulenum": { "type": "long" @@ -984,77 +1984,162 @@ }, "next_hop_ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "next_scheduled_scan_date": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "number_of_errors": { "type": "long" }, "objecttable": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "objecttype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "observable_comment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "observable_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "observable_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "origin_sic_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original_queue_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "outgoing_url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "packet_amount": { "type": "long" }, "packet_capture_unique_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "parent_file_hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "parent_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "parent_file_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "parent_process_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "parent_rule": { "type": "long" @@ -1064,57 +2149,117 @@ }, "peer_ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "peer_ip_probing_status_update": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "performance_impact": { "type": "long" }, "policy_mgmt": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ports_usage": { "type": "long" }, "ppp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "precise_error": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "process_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "properties": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protection_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protection_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "proxy_machine_name": { "type": "long" @@ -1124,58 +2269,123 @@ }, "proxy_user_dn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "proxy_user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "question_rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "referrer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "referrer_parent_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "referrer_self_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registered_ip-phones": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reject_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reject_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rematch_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "remediated_files": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reply_status": { "type": "long" }, "risk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rpc_prog": { "type": "long" @@ -1185,14 +2395,24 @@ }, "rule_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rulebase_id": { "type": "long" }, "scan_direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scan_hosts_day": { "type": "long" @@ -1205,184 +2425,399 @@ }, "scan_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scan_mail": { "type": "long" }, "scan_result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scan_results": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scheme": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scrub_activity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scrub_download_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scrub_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scrub_total_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scrubbed_content": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sctp_association_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sctp_error": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scv_message_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scv_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "securexl_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sensor_mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "short_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sig_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "similar_communication": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "similar_hashes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "similar_strings": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "similiar_iocs": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sip_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "site_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_object": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "special_properties": { "type": "long" }, "specific_data_type_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "speed": { "type": "long" }, "spyware_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "spyware_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "spyware_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_phone_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_user_dn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srckeyid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status_update": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sub_policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sub_policy_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subs_exp": { "type": "date" @@ -1392,65 +2827,135 @@ }, "summary": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "suppressed_logs": { "type": "long" }, "sync": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sys_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tcp_end_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tcp_flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tcp_packet_out_of_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tcp_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "te_verdict_determined_by": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "termination_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ticket_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tls_server_host_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_archive_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "total_attachments": { "type": "long" }, "triggered_by": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "trusted_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "unique_detected_day": { "type": "long" @@ -1463,109 +2968,234 @@ }, "update_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vendor_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "verdict": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "via": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virus_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_attach_action_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_attach_sz": { "type": "long" }, "voip_call_dir": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_call_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_call_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_call_term_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_config": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_duration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_est_codec": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_exp": { "type": "long" }, "voip_from_user_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_log_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_media_codec": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_media_ipp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_media_port": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_reason_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_reg_int": { "type": "long" @@ -1581,31 +3211,66 @@ }, "voip_reg_user_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_reject_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "voip_to_user_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vpn_feature_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "watermark": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "web_server_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "word_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/cisco.json b/salt/elasticsearch/templates/component/ecs/cisco.json index 3800b79fc..fcbd6db6f 100644 --- a/salt/elasticsearch/templates/component/ecs/cisco.json +++ b/salt/elasticsearch/templates/component/ecs/cisco.json @@ -17,11 +17,21 @@ "properties": { "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "short_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -29,7 +39,12 @@ "properties": { "arguments": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -40,7 +55,12 @@ }, "connector_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "external_ip": { "type": "ip" @@ -52,31 +72,61 @@ }, "connector_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "detection": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "detection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "error": { "properties": { "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "error_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "event_type_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file": { "properties": { @@ -84,21 +134,41 @@ "properties": { "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identity": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -108,34 +178,64 @@ "properties": { "application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attacked_module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "base_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "indicators": { "type": "flattened" }, "suspicious_files": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "parent": { "properties": { "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -143,27 +243,52 @@ }, "group_guids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_tactics": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_techniques": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "network_info": { "properties": { "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nfm": { "properties": { "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -171,13 +296,23 @@ "properties": { "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identify": { "properties": { "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -185,11 +320,21 @@ "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -201,11 +346,21 @@ "properties": { "cve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -216,7 +371,12 @@ }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "malicious_detections": { "type": "long" @@ -245,34 +405,69 @@ }, "incident_hunt_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incident_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incident_remediation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incident_report_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incident_start_time": { "type": "date" }, "incident_summary": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incident_title": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tactics": { "type": "flattened" @@ -299,57 +494,122 @@ "properties": { "avg_rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "configured_avg_rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "configured_rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cumulative_count": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "current_rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "object": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "command_line_arguments": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connection_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dap_records": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destination_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destination_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp_code": { "type": "short" @@ -359,7 +619,12 @@ }, "mapped_destination_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mapped_destination_ip": { "type": "ip" @@ -369,7 +634,12 @@ }, "mapped_source_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mapped_source_ip": { "type": "ip" @@ -379,65 +649,135 @@ }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "privilege": { "properties": { "new": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "old": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "suffix": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "termination_initiator": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "termination_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threat_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threat_level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tunnel_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "webvpn": { "properties": { "group_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -447,23 +787,48 @@ "properties": { "connection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connection_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dap_records": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destination_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destination_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp_code": { "type": "short" @@ -473,7 +838,12 @@ }, "mapped_destination_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mapped_destination_ip": { "type": "ip" @@ -483,7 +853,12 @@ }, "mapped_source_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mapped_source_ip": { "type": "ip" @@ -493,48 +868,98 @@ }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "security": { "type": "object" }, "source_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "suffix": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "termination_initiator": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "termination_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threat_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threat_level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "webvpn": { "properties": { "group_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -544,11 +969,21 @@ "properties": { "access_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "facility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -556,59 +991,129 @@ "properties": { "amp_disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "amp_malware_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "amp_score": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "av_detections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "blocked_categories": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "categories": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "datacenter": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identities": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identity_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "origin_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "policy_identity_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "puas": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha_sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/client.json b/salt/elasticsearch/templates/component/ecs/client.json index 7f5a2169e..acac41413 100644 --- a/salt/elasticsearch/templates/component/ecs/client.json +++ b/salt/elasticsearch/templates/component/ecs/client.json @@ -10,7 +10,12 @@ "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "as": { "properties": { @@ -37,52 +42,107 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -91,7 +151,12 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat": { "properties": { @@ -111,25 +176,50 @@ }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -144,25 +234,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -175,7 +290,12 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -184,4 +304,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/cloud.json b/salt/elasticsearch/templates/component/ecs/cloud.json index f41ab4a8f..1f6bdea8f 100644 --- a/salt/elasticsearch/templates/component/ecs/cloud.json +++ b/salt/elasticsearch/templates/component/ecs/cloud.json @@ -12,27 +12,52 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "availability_zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "instance": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -40,7 +65,12 @@ "properties": { "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -48,27 +78,52 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "service": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -77,4 +132,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/container.json b/salt/elasticsearch/templates/component/ecs/container.json index bd5ce8113..0421ac6ed 100644 --- a/salt/elasticsearch/templates/component/ecs/container.json +++ b/salt/elasticsearch/templates/component/ecs/container.json @@ -10,17 +10,32 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "image": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -29,15 +44,25 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "runtime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/cyberark.json b/salt/elasticsearch/templates/component/ecs/cyberark.json index 20e90f6ea..4ed88aa6f 100644 --- a/salt/elasticsearch/templates/component/ecs/cyberark.json +++ b/salt/elasticsearch/templates/component/ecs/cyberark.json @@ -12,241 +12,511 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ca_properties": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpm_disabled": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpm_error_details": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpm_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "creation_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "customer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "database": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "device_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dual_account_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "group_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "in_process": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "index": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_fail_date": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_success_change": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_success_reconciliation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_success_verification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_task": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "logon_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "other": { "type": "flattened" }, "policy_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "port": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "privcloud": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reset_immediately": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "retries_count": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sequence_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_dn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virtual_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extra_details": { "properties": { "ad_process_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ad_process_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connection_component_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "logon_account": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "managed_account": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "other": { "type": "flattened" }, "process_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "process_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "psmid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_duration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "file": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "gateway_station": { "type": "ip" }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "iso_timestamp": { "type": "date" }, "issuer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "doc_values": false, "ignore_above": 4096, "index": false, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "pvwa_details": { "type": "flattened" @@ -255,7 +525,12 @@ "doc_values": false, "ignore_above": 4096, "index": false, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reason": { "norms": false, @@ -266,34 +541,69 @@ }, "safe": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "station": { "type": "ip" }, "target_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/data_stream.json b/salt/elasticsearch/templates/component/ecs/data_stream.json index dfbfe3f51..fdbb58044 100644 --- a/salt/elasticsearch/templates/component/ecs/data_stream.json +++ b/salt/elasticsearch/templates/component/ecs/data_stream.json @@ -22,4 +22,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/destination.json b/salt/elasticsearch/templates/component/ecs/destination.json index 4fac31200..6f5d7f024 100644 --- a/salt/elasticsearch/templates/component/ecs/destination.json +++ b/salt/elasticsearch/templates/component/ecs/destination.json @@ -10,7 +10,12 @@ "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "as": { "properties": { @@ -37,52 +42,107 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -91,7 +151,12 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat": { "properties": { @@ -111,25 +176,50 @@ }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -144,25 +234,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -175,7 +290,12 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -184,4 +304,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/dll.json b/salt/elasticsearch/templates/component/ecs/dll.json index 84667a6b9..a48de33c3 100644 --- a/salt/elasticsearch/templates/component/ecs/dll.json +++ b/salt/elasticsearch/templates/component/ecs/dll.json @@ -12,26 +12,51 @@ "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" @@ -48,63 +73,133 @@ "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "pe": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -113,4 +208,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/dns.json b/salt/elasticsearch/templates/component/ecs/dns.json index 321a061f5..d7cb39afc 100644 --- a/salt/elasticsearch/templates/component/ecs/dns.json +++ b/salt/elasticsearch/templates/component/ecs/dns.json @@ -12,63 +12,128 @@ "properties": { "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ttl": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "object" }, "header_flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "op_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "question": { "properties": { "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -77,15 +142,25 @@ }, "response_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/ecs.json b/salt/elasticsearch/templates/component/ecs/ecs.json index 9abfcf61c..1dcbe7c7c 100644 --- a/salt/elasticsearch/templates/component/ecs/ecs.json +++ b/salt/elasticsearch/templates/component/ecs/ecs.json @@ -10,11 +10,16 @@ "properties": { "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/elasticsearch.json index f409ed95a..77594f68d 100644 --- a/salt/elasticsearch/templates/component/ecs/elasticsearch.json +++ b/salt/elasticsearch/templates/component/ecs/elasticsearch.json @@ -17,9 +17,14 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/error.json b/salt/elasticsearch/templates/component/ecs/error.json index c33f580ab..077cbe9c9 100644 --- a/salt/elasticsearch/templates/component/ecs/error.json +++ b/salt/elasticsearch/templates/component/ecs/error.json @@ -10,11 +10,21 @@ "properties": { "code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message": { "type": "match_only_text" @@ -29,11 +39,16 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/event.json b/salt/elasticsearch/templates/component/ecs/event.json index 0d43760a2..ea9c74cc9 100644 --- a/salt/elasticsearch/templates/component/ecs/event.json +++ b/salt/elasticsearch/templates/component/ecs/event.json @@ -10,26 +10,51 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "agent_id_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "created": { "type": "date" }, "dataset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "duration": { "type": "long" @@ -39,43 +64,88 @@ }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ingested": { "type": "date" }, "kind": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original": { "doc_values": false, "index": false, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "outcome": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "risk_score": { "type": "float" @@ -94,19 +164,34 @@ }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/file.json b/salt/elasticsearch/templates/component/ecs/file.json index 6242cc324..38b32aefe 100644 --- a/salt/elasticsearch/templates/component/ecs/file.json +++ b/salt/elasticsearch/templates/component/ecs/file.json @@ -13,32 +13,62 @@ }, "attributes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "code_signature": { "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" @@ -59,29 +89,59 @@ }, "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "directory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "drive_letter": { "ignore_above": 1, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "elf": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "creation_date": { "type": "date" @@ -93,34 +153,69 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -137,22 +232,42 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virtual_address": { "type": "long" @@ -167,87 +282,177 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "gid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "inode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mtime": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "owner": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "fields": { @@ -262,31 +467,66 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -304,47 +544,97 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -356,11 +646,21 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_exponent": { "doc_values": false, @@ -372,47 +672,97 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -421,4 +771,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/fortinet.json b/salt/elasticsearch/templates/component/ecs/fortinet.json index 1f9b7496d..48d12654e 100644 --- a/salt/elasticsearch/templates/component/ecs/fortinet.json +++ b/salt/elasticsearch/templates/component/ecs/fortinet.json @@ -14,7 +14,12 @@ "properties": { "crc32": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -24,103 +29,213 @@ "properties": { "acct_stat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "acktime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "act": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "activity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "addr": { "type": "ip" }, "addr_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "addrgrp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "adgroup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "admin": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "age": { "type": "long" }, "agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "alarmid": { "type": "long" }, "alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "analyticscksum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "analyticssubmit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ap": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app-type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "appact": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "appid": { "type": "long" }, "applist": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "apprisk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "apscan": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "apsn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "apstatus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "aptype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "assigned": { "type": "ip" @@ -130,19 +245,39 @@ }, "attachment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attack": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attackcontext": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attackcontextid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attackid": { "type": "long" @@ -152,107 +287,222 @@ }, "auditscore": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "audittime": { "type": "long" }, "authgrp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authproto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authserver": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "bandwidth": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "banned_rule": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "banned_src": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "banword": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "botnetdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "botnetip": { "type": "ip" }, "bssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "call_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "carrier_ep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cat": { "type": "long" }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cdrcontent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "centralnatid": { "type": "long" }, "cert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cert-type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "certhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cfgattr": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cfgobj": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cfgpath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cfgtid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cfgtxpower": { "type": "long" @@ -262,73 +512,153 @@ }, "channeltype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "chassisid": { "type": "long" }, "checksum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "chgheaders": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cldobjid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_addr": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cloudaction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "clouduser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "column": { "type": "long" }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "community": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "configcountry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connection_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "conserve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "constraint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "contentdisarmed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "contenttype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cookies": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "count": { "type": "long" @@ -380,76 +710,156 @@ }, "crl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "crlevel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "crscore": { "type": "long" }, "cveid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "daemon": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "datarange": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "date": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ddnsserver": { "type": "ip" }, "desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "detectionmethod": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "devcategory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "devintfname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "devtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dhcp_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dintf": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "disk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "disklograte": { "type": "long" }, "dlpextra": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "docsource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "domainctrlauthstate": { "type": "long" @@ -459,144 +869,294 @@ }, "domainctrldomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "domainctrlip": { "type": "ip" }, "domainctrlname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "domainctrlprotocoltype": { "type": "long" }, "domainctrlusername": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "domainfilteridx": { "type": "long" }, "domainfilterlist": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ds": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_int": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstcountry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstdevcategory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstdevtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstfamily": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dsthwvendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dsthwversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstinetsvc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstintfrole": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstosname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstosversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstserver": { "type": "long" }, "dstssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstswversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstunauthusersource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstuuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "duid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "eapolcnt": { "type": "long" }, "eapoltype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "encrypt": { "type": "long" }, "encryption": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "epoch": { "type": "long" }, "espauth": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "esptransform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "eventtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exch": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exchange": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "expectedsignature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "expiry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fams_pause": { "type": "long" @@ -606,79 +1166,159 @@ }, "fctemssn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fctuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "field": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filefilter": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filehashsrc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filtercat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filteridx": { "type": "long" }, "filtername": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filtertype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fortiguardresp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "forwardedfor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fqdn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "frametype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "freediskstorage": { "type": "long" }, "from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "from_vcluster": { "type": "long" }, "fsaverdict": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fwserver_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "gateway": { "type": "ip" }, "green": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "groupid": { "type": "long" @@ -688,53 +1328,108 @@ }, "ha_group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ha_role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "handshake": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hbdn_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "highcount": { "type": "long" }, "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "iaid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmpcode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmpid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmptype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identifier": { "type": "long" }, "in_spi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incidentserialno": { "type": "long" @@ -747,42 +1442,87 @@ }, "informationsource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "init": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "initiator": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "intf": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "invalidmac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ip": { "type": "ip" }, "iptype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "keyword": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "kind": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "lanin": { "type": "long" @@ -795,14 +1535,24 @@ }, "license_limit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "limit": { "type": "long" }, "line": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "live": { "type": "long" @@ -812,37 +1562,72 @@ }, "log": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "login": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "lowcount": { "type": "long" }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "malform_data": { "type": "long" }, "malform_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "manuf": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "masterdstmac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mastersrcmac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mediumcount": { "type": "long" @@ -852,65 +1637,135 @@ }, "meshmode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mgmtcnt": { "type": "long" }, "mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "monitor-name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "monitor-type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mpsk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "msgproto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mtu": { "type": "long" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "netid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "new_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "newchannel": { "type": "long" @@ -926,18 +1781,33 @@ }, "nf_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "noise": { "type": "long" }, "old_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldchannel": { "type": "long" @@ -950,76 +1820,156 @@ }, "oldsn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldwprof": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "onwire": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "opercountry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "opertxpower": { "type": "long" }, "osname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "osversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "out_spi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "outintf": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "passedcount": { "type": "long" }, "passwd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "peer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "peer_notif": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "phase2_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "phone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "pid": { "type": "long" }, "policytype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "poolname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "port": { "type": "long" @@ -1032,55 +1982,105 @@ }, "probeproto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "process": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "processtime": { "type": "long" }, "profile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "profile_vd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "profilegroup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "profiletype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "qtypeval": { "type": "long" }, "quarskip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "quotaexceeded": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "quotamax": { "type": "long" }, "quotatype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "quotaused": { "type": "long" }, "radioband": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "radioid": { "type": "long" @@ -1093,80 +2093,165 @@ }, "rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rawdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rawdataid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rcvddelta": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "received": { "type": "long" }, "receivedsignature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "red": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "referralurl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "remote": { "type": "ip" }, "remotewtptime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reporttype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reqtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rssi": { "type": "long" }, "rsso_key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ruledata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ruletype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scanned": { "type": "long" @@ -1176,43 +2261,93 @@ }, "scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "security": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sensitivity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sensor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sentdelta": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "seq": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "serial": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "serialno": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sessionid": { "type": "long" @@ -1222,7 +2357,12 @@ }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "shaperdroprcvdbyte": { "type": "long" @@ -1235,15 +2375,30 @@ }, "shaperperipname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "shaperrcvdname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "shapersentname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "shapingpolicyid": { "type": "long" @@ -1259,164 +2414,354 @@ }, "sn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "snclosest": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sndetected": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "snmeshparent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "spi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_int": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srccountry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srcfamily": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srchwvendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srchwversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srcinetsvc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srcintfrole": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srcname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srcserver": { "type": "long" }, "srcssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srcswversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srcuuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sscname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sslaction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssllocal": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sslremote": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "stacount": { "type": "long" }, "stage": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "stamac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "stitch": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "submodule": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subservice": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "suspicious": { "type": "long" }, "switchproto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sync_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sync_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sysuptime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tamac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threattype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "to_vcluster": { "type": "long" @@ -1429,22 +2774,42 @@ }, "trace_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "trandisp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "transid": { "type": "long" }, "translationid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "trigger": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "trueclntip": { "type": "ip" @@ -1457,19 +2822,39 @@ }, "tunneltype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ui": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "unauthusersource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "unit": { "type": "long" @@ -1479,15 +2864,30 @@ }, "urlfilterlist": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "urlsource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "urltype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "used": { "type": "long" @@ -1497,19 +2897,39 @@ }, "utmaction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "utmref": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vap": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vapmode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vcluster": { "type": "long" @@ -1519,75 +2939,150 @@ }, "vcluster_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vdname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vendorurl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virusid": { "type": "long" }, "voip_proto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vpn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vpntunnel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vpntype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vrf": { "type": "long" }, "vulncat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vulnid": { "type": "long" }, "vulnname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vwlid": { "type": "long" }, "vwlquality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vwlservice": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vwpvlanid": { "type": "long" @@ -1597,22 +3092,42 @@ }, "wanoptapptype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "wanout": { "type": "long" }, "weakwepiv": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "xauthgroup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "xauthuser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "xid": { "type": "long" diff --git a/salt/elasticsearch/templates/component/ecs/gcp.json b/salt/elasticsearch/templates/component/ecs/gcp.json index 5ac9dcbe4..1ebc9210b 100644 --- a/salt/elasticsearch/templates/component/ecs/gcp.json +++ b/salt/elasticsearch/templates/component/ecs/gcp.json @@ -14,17 +14,32 @@ "properties": { "authority_selector": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "principal_email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "method_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "num_response_items": { "type": "long" @@ -33,19 +48,39 @@ "properties": { "filter": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "proto_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resource_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -56,7 +91,12 @@ }, "caller_supplied_user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -64,13 +104,23 @@ "properties": { "current_locations": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "resource_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "response": { "properties": { @@ -78,35 +128,70 @@ "properties": { "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "kind": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "proto_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "service_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "properties": { @@ -115,13 +200,23 @@ }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -131,15 +226,30 @@ "properties": { "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -147,15 +257,30 @@ "properties": { "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subnetwork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vpc_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -167,42 +292,87 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destination_range": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "priority": { "type": "long" }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_range": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_service_account": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target_service_account": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target_tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -214,15 +384,30 @@ "properties": { "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -230,15 +415,30 @@ "properties": { "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subnetwork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vpc_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -248,7 +448,12 @@ "properties": { "reporter": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rtt": { "properties": { diff --git a/salt/elasticsearch/templates/component/ecs/google_workspace.json b/salt/elasticsearch/templates/component/ecs/google_workspace.json index 526bd9bb5..a15f9d33c 100644 --- a/salt/elasticsearch/templates/component/ecs/google_workspace.json +++ b/salt/elasticsearch/templates/component/ecs/google_workspace.json @@ -12,11 +12,21 @@ "properties": { "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -26,7 +36,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -36,13 +51,23 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "scopes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -50,35 +75,75 @@ "properties": { "asp_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "edition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "enabled": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "licences_order_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "licences_purchased": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "package_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -96,11 +161,21 @@ "properties": { "allowed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "enabled": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -108,7 +183,12 @@ "properties": { "session_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -116,19 +196,39 @@ "properties": { "command_details": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -138,11 +238,21 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -152,15 +262,30 @@ "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "secondary_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -173,7 +298,12 @@ }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "recipient": { "properties": { @@ -182,7 +312,12 @@ }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -193,7 +328,12 @@ }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -204,7 +344,12 @@ }, "quarantine_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -215,11 +360,21 @@ }, "package_content": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -227,25 +382,50 @@ "properties": { "dest_email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "level": { "properties": { "chat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "draft": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incoming": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "outgoing": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -253,13 +433,23 @@ }, "field": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "gateway": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -267,35 +457,70 @@ "properties": { "allowed_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "priorities": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "info_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "managed_configuration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mdm": { "properties": { "token": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -305,11 +530,21 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -317,7 +552,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -328,11 +568,21 @@ }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "non_featured_services_selection": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oauth2": { "properties": { @@ -340,15 +590,30 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -356,7 +621,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -364,17 +634,32 @@ }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "org_unit": { "properties": { "full": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -382,7 +667,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -390,7 +680,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -398,7 +693,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -406,11 +706,21 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sku": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -418,7 +728,12 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -426,7 +741,12 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -434,11 +754,21 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -446,7 +776,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -454,7 +789,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -462,11 +802,21 @@ "properties": { "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -474,7 +824,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -485,11 +840,21 @@ }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nickname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -497,13 +862,23 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "verification_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -511,30 +886,55 @@ "properties": { "added_role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "billable": { "type": "boolean" }, "destination_folder_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destination_folder_title": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "owner": { "properties": { "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "is_shared_drive": { "type": "boolean" @@ -543,72 +943,152 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "membership_change_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "old_visibility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "originating_app_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "primary_event": { "type": "boolean" }, "removed_role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "shared_drive_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "shared_drive_settings_change_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sheets_import_range_recipient_doc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_folder_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_folder_title": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "visibility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "visibility_change": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -616,7 +1096,12 @@ "properties": { "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -624,21 +1109,41 @@ "properties": { "acl_permission": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "member": { "properties": { "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -646,53 +1151,108 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "moderation_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "setting": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "kind": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "login": { "properties": { "affected_email_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "challenge_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "failure_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "is_second_factor": { "type": "boolean" @@ -702,7 +1262,12 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -710,7 +1275,12 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -718,27 +1288,57 @@ "properties": { "application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "failure_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "initiated_by": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "orgunit_path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "second_level_status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/group.json b/salt/elasticsearch/templates/component/ecs/group.json index ed40b4d9f..7c7888228 100644 --- a/salt/elasticsearch/templates/component/ecs/group.json +++ b/salt/elasticsearch/templates/component/ecs/group.json @@ -10,19 +10,34 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/host.json b/salt/elasticsearch/templates/component/ecs/host.json index cf69aad56..b7d5c49f7 100644 --- a/salt/elasticsearch/templates/component/ecs/host.json +++ b/salt/elasticsearch/templates/component/ecs/host.json @@ -10,7 +10,12 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpu": { "properties": { @@ -40,73 +45,148 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ip": { "type": "ip" }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "network": { "properties": { @@ -136,7 +216,12 @@ "properties": { "family": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full": { "fields": { @@ -149,7 +234,12 @@ }, "kernel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -162,21 +252,41 @@ }, "platform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uptime": { "type": "long" @@ -185,11 +295,21 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -204,25 +324,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -235,7 +380,12 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -244,4 +394,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/http.json b/salt/elasticsearch/templates/component/ecs/http.json index d6164a191..fc05e9cb9 100644 --- a/salt/elasticsearch/templates/component/ecs/http.json +++ b/salt/elasticsearch/templates/component/ecs/http.json @@ -30,19 +30,39 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "referrer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -68,7 +88,12 @@ }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status_code": { "type": "long" @@ -77,11 +102,16 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/juniper.json b/salt/elasticsearch/templates/component/ecs/juniper.json index 33a5f61d6..406a792d4 100644 --- a/salt/elasticsearch/templates/component/ecs/juniper.json +++ b/salt/elasticsearch/templates/component/ecs/juniper.json @@ -12,47 +12,102 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "action_detail": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "apbr_rule_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_characteristics": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_sub_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attack_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_ip": { "type": "ip" @@ -62,85 +117,165 @@ }, "connection_tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "context_hit_rate": { "type": "long" }, "context_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "context_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "context_value_hit_rate": { "type": "long" }, "ddos_application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dscp_value": { "type": "long" }, "dst_nat_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_nat_rule_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_vrf_grp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "elapsed_time": { "type": "date" }, "encrypted": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "epoch_time": { "type": "date" }, "error_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "error_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "export_id": { "type": "long" }, "feed_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_hash_lookup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp_type": { "type": "long" @@ -153,39 +288,84 @@ }, "index": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "logical_system_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "malware_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat_connection_tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nested_application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "obj": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "occur_count": { "type": "long" @@ -207,7 +387,12 @@ }, "peer_session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "peer_source_address": { "type": "ip" @@ -217,118 +402,258 @@ }, "policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "process": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "profile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "profile_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocol_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocol_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "repeat_count": { "type": "long" }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "routing_instance": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ruleebase_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sample_sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "secure_web_proxy_session_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "service_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_id_32": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_nat_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_nat_rule_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_vrf_grp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sub_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "temporary_filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "th": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threat_severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "time_count": { "type": "long" @@ -338,14 +663,24 @@ }, "time_scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uplink_rx_bytes": { "type": "long" @@ -355,18 +690,33 @@ }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "verdict_number": { "type": "long" }, "verdict_source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/kibana.json b/salt/elasticsearch/templates/component/ecs/kibana.json index d1ea67de7..2c2193501 100644 --- a/salt/elasticsearch/templates/component/ecs/kibana.json +++ b/salt/elasticsearch/templates/component/ecs/kibana.json @@ -10,23 +10,48 @@ "properties": { "add_to_spaces": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authentication_provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authentication_realm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authentication_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "delete_from_spaces": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "log": { "properties": { @@ -35,37 +60,72 @@ }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "lookup_realm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "saved_object": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "space_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/log.json b/salt/elasticsearch/templates/component/ecs/log.json index e79661b5e..1479c5fc7 100644 --- a/salt/elasticsearch/templates/component/ecs/log.json +++ b/salt/elasticsearch/templates/component/ecs/log.json @@ -12,17 +12,32 @@ "properties": { "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "logger": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "origin": { "properties": { @@ -33,20 +48,35 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "function": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "original": { "doc_values": false, "index": false, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "syslog": { "properties": { @@ -57,7 +87,12 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -71,7 +106,12 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -83,4 +123,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/logstash.json b/salt/elasticsearch/templates/component/ecs/logstash.json index ecfb17551..2120a0902 100644 --- a/salt/elasticsearch/templates/component/ecs/logstash.json +++ b/salt/elasticsearch/templates/component/ecs/logstash.json @@ -14,18 +14,33 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "object" }, "module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "pipeline_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "thread": { "fields": { @@ -53,11 +68,21 @@ }, "module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "plugin_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "plugin_params": { "fields": { @@ -74,7 +99,12 @@ }, "plugin_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "thread": { "fields": { diff --git a/salt/elasticsearch/templates/component/ecs/microsoft.json b/salt/elasticsearch/templates/component/ecs/microsoft.json index 512b99c79..d7431fbe8 100644 --- a/salt/elasticsearch/templates/component/ecs/microsoft.json +++ b/salt/elasticsearch/templates/component/ecs/microsoft.json @@ -12,72 +12,142 @@ "properties": { "assignedTo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "determination": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "evidence": { "properties": { "aadUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "accountName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "domainName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "entityType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ipAddress": { "type": "ip" }, "userPrincipalName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "incidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "investigationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "investigationState": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "lastUpdateTime": { "type": "date" }, "rbacGroupName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resolvedTime": { "type": "date" }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threatFamilyName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -87,26 +157,51 @@ "properties": { "actorName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "assignedTo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "creationTime": { "type": "date" }, "detectionSource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "determination": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "devices": { "type": "flattened" @@ -115,145 +210,310 @@ "properties": { "accountName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "clusterBy": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deliveryAction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deviceId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "entityType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ipAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mailboxAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mailboxDisplayName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "recipient": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registryHive": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registryKey": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registryValueType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "securityGroupId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "securityGroupName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sender": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "incidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "investigationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "investigationState": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "lastUpdatedTime": { "type": "date" }, "mitreTechniques": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resolvedTime": { "type": "date" }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threatFamilyName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "userSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "assignedTo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "determination": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "incidentName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "investigationState": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "redirectIncidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/misp.json b/salt/elasticsearch/templates/component/ecs/misp.json index 8150371ec..d0c7aa519 100644 --- a/salt/elasticsearch/templates/component/ecs/misp.json +++ b/salt/elasticsearch/templates/component/ecs/misp.json @@ -16,15 +16,30 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "kill_chain_phases": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -43,18 +58,33 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_seen": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "objective": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -66,11 +96,21 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -86,23 +126,48 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identity_class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sectors": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -125,14 +190,24 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_seen": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "primary_motivation": { "norms": false, @@ -156,19 +231,39 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "kill_chain_phases": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -176,7 +271,12 @@ "properties": { "authors": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "norms": false, @@ -184,15 +284,30 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "object_refs": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "summary": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -203,7 +318,12 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "last_observed": { "type": "date" @@ -213,7 +333,12 @@ }, "objects": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -225,15 +350,30 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "object_refs": { "norms": false, @@ -260,15 +400,30 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "personal_motivations": { "norms": false, @@ -300,19 +455,39 @@ "properties": { "attack_pattern": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attack_pattern_kql": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "campaign": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "confidence": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "norms": false, @@ -324,42 +499,87 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "intrusion_set": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "kill_chain_phases": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_tactic": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mitre_technique": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "negate": { "type": "boolean" }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threat_actor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "valid_from": { "type": "date" @@ -369,7 +589,12 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -381,7 +606,12 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "kill_chain_phases": { "norms": false, @@ -389,15 +619,30 @@ }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tool_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -409,11 +654,21 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/netflow.json b/salt/elasticsearch/templates/component/ecs/netflow.json index 10f34c3d4..0e96c0cd6 100644 --- a/salt/elasticsearch/templates/component/ecs/netflow.json +++ b/salt/elasticsearch/templates/component/ecs/netflow.json @@ -34,26 +34,51 @@ }, "application_category_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_group_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_id": { "type": "short" }, "application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_sub_category_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "bgp_destination_as_number": { "type": "long" @@ -84,7 +109,12 @@ }, "class_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "classification_engine_id": { "type": "short" @@ -151,7 +181,12 @@ }, "destination_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "destination_transport_port": { "type": "long" @@ -182,14 +217,24 @@ }, "dot1q_customer_destination_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dot1q_customer_priority": { "type": "short" }, "dot1q_customer_source_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dot1q_customer_vlan_id": { "type": "long" @@ -253,7 +298,12 @@ }, "encrypted_technology": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "engine_id": { "type": "short" @@ -298,7 +348,12 @@ "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_id": { "type": "long" @@ -466,34 +521,69 @@ }, "http_content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_message_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_reason_phrase": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_request_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_request_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_request_target": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http_status_code": { "type": "long" }, "http_user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp_code_ipv4": { "type": "short" @@ -536,7 +626,12 @@ }, "information_element_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "information_element_id": { "type": "long" @@ -546,7 +641,12 @@ }, "information_element_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "information_element_range_begin": { "type": "long" @@ -589,11 +689,21 @@ }, "interface_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "interface_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "intermediate_process_id": { "type": "long" @@ -741,7 +851,12 @@ }, "metro_evc_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "metro_evc_type": { "type": "short" @@ -754,29 +869,54 @@ }, "mib_context_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mib_index_indicator": { "type": "long" }, "mib_module_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mib_object_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mib_object_identifier": { "type": "short" }, "mib_object_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mib_object_syntax": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mib_object_value_bits": { "type": "short" @@ -834,11 +974,21 @@ }, "mobile_imsi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mobile_msisdn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "monitoring_interval_end_milli_seconds": { "type": "date" @@ -929,7 +1079,12 @@ }, "nat_pool_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat_quota_exceeded_event": { "type": "long" @@ -963,7 +1118,12 @@ }, "observation_domain_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "observation_point_id": { "type": "long" @@ -1021,7 +1181,12 @@ }, "p2p_technology": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "packet_delta_count": { "type": "long" @@ -1052,7 +1217,12 @@ }, "post_destination_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "post_dot1q_customer_vlan_id": { "type": "long" @@ -1128,7 +1298,12 @@ }, "post_source_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "post_vlan_id": { "type": "long" @@ -1180,7 +1355,12 @@ }, "sampler_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sampler_random_interval": { "type": "long" @@ -1247,7 +1427,12 @@ }, "selector_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_scope": { "type": "short" @@ -1272,7 +1457,12 @@ }, "source_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source_transport_port": { "type": "long" @@ -1288,7 +1478,12 @@ }, "sta_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "system_init_time_milliseconds": { "type": "date" @@ -1355,11 +1550,21 @@ }, "tunnel_technology": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "udp_destination_port": { "type": "long" @@ -1375,7 +1580,12 @@ }, "user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "value_distribution_method": { "type": "short" @@ -1385,11 +1595,21 @@ }, "virtual_station_interface_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virtual_station_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virtual_station_uuid": { "type": "short" @@ -1402,18 +1622,33 @@ }, "vr_fname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "wlan_channel_id": { "type": "short" }, "wlan_ssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "wtp_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/network.json b/salt/elasticsearch/templates/component/ecs/network.json index c2e35efd0..3388e9651 100644 --- a/salt/elasticsearch/templates/component/ecs/network.json +++ b/salt/elasticsearch/templates/component/ecs/network.json @@ -10,25 +10,45 @@ "properties": { "application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "bytes": { "type": "long" }, "community_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "forwarded_ip": { "type": "ip" }, "iana_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "inner": { "properties": { @@ -36,11 +56,21 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -49,32 +79,62 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "packets": { "type": "long" }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "transport": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vlan": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -83,4 +143,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/o365.json b/salt/elasticsearch/templates/component/ecs/o365.json index d1bdb29b1..a7df16b97 100644 --- a/salt/elasticsearch/templates/component/ecs/o365.json +++ b/salt/elasticsearch/templates/component/ecs/o365.json @@ -12,71 +12,156 @@ "properties": { "AADGroupId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ActorContextId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ActorIpAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ActorUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ActorYammerUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "AlertEntityId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "AlertId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "AlertType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "AppId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ApplicationDisplayName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ApplicationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "AzureActiveDirectoryEventType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ClientAppId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ClientIP": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ClientIPAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ClientInfoString": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Comments": { "norms": false, @@ -84,46 +169,96 @@ }, "CommunicationType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "CorrelationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "CreationTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "CustomUniqueId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DataType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DoNotDistributeEvent": { "type": "boolean" }, "EntityType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ErrorNumber": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "EventData": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "EventSource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ExceptionInfo": { "properties": { @@ -148,38 +283,78 @@ }, "ExternalAccess": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "FromApp": { "type": "boolean" }, "GroupName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ImplicitShare": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "IncidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "InterSystemsId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "InternalLogonType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "IntraSystemId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "IsDocLib": { "type": "boolean" @@ -201,67 +376,147 @@ }, "ItemName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ItemType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ListBaseTemplateType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ListBaseType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ListColor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ListIcon": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ListId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ListItemUniqueId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ListTitle": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LogonError": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LogonType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LogonUserSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MailboxGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MailboxOwnerMasterAccountSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MailboxOwnerSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MailboxOwnerUPN": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Members": { "properties": { @@ -283,27 +538,57 @@ }, "Name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ObjectId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Operation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "OrganizationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "OrganizationName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "OriginatingServer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Parameters": { "properties": { @@ -314,27 +599,57 @@ }, "PolicyId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "RecordType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ResultStatus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SensitiveInfoDetectionIsIncluded": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SessionId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SharePointMetaData": { "properties": { @@ -345,95 +660,210 @@ }, "Site": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SiteUrl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SourceFileExtension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SourceFileName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SourceRelativeUrl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SupportTicketId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetContextId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetUserOrGroupName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetUserOrGroupType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TeamGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TeamName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TemplateTypeId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "UniqueSharingId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "UserAgent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "UserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "UserKey": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "UserType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "WebId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Workload": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "YammerNetworkId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/observer.json b/salt/elasticsearch/templates/component/ecs/observer.json index ecd3b1155..d760e5210 100644 --- a/salt/elasticsearch/templates/component/ecs/observer.json +++ b/salt/elasticsearch/templates/component/ecs/observer.json @@ -14,15 +14,30 @@ "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -30,17 +45,32 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "object" @@ -49,52 +79,107 @@ "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ingress": { "properties": { @@ -102,15 +187,30 @@ "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -118,17 +218,32 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "object" @@ -138,17 +253,32 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os": { "properties": { "family": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full": { "fields": { @@ -161,7 +291,12 @@ }, "kernel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -174,41 +309,81 @@ }, "platform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/okta.json b/salt/elasticsearch/templates/component/ecs/okta.json index dcfaab1c2..22239efc5 100644 --- a/salt/elasticsearch/templates/component/ecs/okta.json +++ b/salt/elasticsearch/templates/component/ecs/okta.json @@ -12,19 +12,39 @@ "properties": { "alternate_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -32,26 +52,51 @@ "properties": { "authentication_provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "authentication_step": { "type": "long" }, "credential_provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "credential_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "external_session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -59,11 +104,21 @@ "properties": { "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ip": { "type": "ip" @@ -72,21 +127,41 @@ "properties": { "browser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "raw_user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -96,33 +171,68 @@ "properties": { "device_fingerprint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request_uri": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "suspicious_activity": { "properties": { "browser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_city": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_ip": { "type": "ip" @@ -135,19 +245,39 @@ }, "event_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_transaction_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" @@ -156,11 +286,21 @@ }, "threat_suspected": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -168,21 +308,41 @@ }, "display_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "outcome": { "properties": { "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -194,22 +354,42 @@ "properties": { "city": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "geolocation": { "type": "geo_point" }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -218,11 +398,21 @@ }, "source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -239,7 +429,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -247,20 +442,35 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "is_proxy": { "type": "boolean" }, "isp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target": { "type": "flattened" @@ -269,21 +479,41 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/orchestrator.json b/salt/elasticsearch/templates/component/ecs/orchestrator.json index 87f2af201..b7df8e5c4 100644 --- a/salt/elasticsearch/templates/component/ecs/orchestrator.json +++ b/salt/elasticsearch/templates/component/ecs/orchestrator.json @@ -10,51 +10,96 @@ "properties": { "api_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cluster": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "namespace": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resource": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/organization.json b/salt/elasticsearch/templates/component/ecs/organization.json index b0ea050fa..1e656a893 100644 --- a/salt/elasticsearch/templates/component/ecs/organization.json +++ b/salt/elasticsearch/templates/component/ecs/organization.json @@ -10,7 +10,12 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -26,4 +31,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/package.json b/salt/elasticsearch/templates/component/ecs/package.json index b726f8f7f..6ca0bf6c1 100644 --- a/salt/elasticsearch/templates/component/ecs/package.json +++ b/salt/elasticsearch/templates/component/ecs/package.json @@ -10,57 +10,112 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "build_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "checksum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "install_scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "installed": { "type": "date" }, "license": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/process.json b/salt/elasticsearch/templates/component/ecs/process.json index a95fe6bba..ffb038c59 100644 --- a/salt/elasticsearch/templates/component/ecs/process.json +++ b/salt/elasticsearch/templates/component/ecs/process.json @@ -10,7 +10,12 @@ "properties": { "args": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "args_count": { "type": "long" @@ -19,26 +24,51 @@ "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" @@ -63,15 +93,30 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "creation_date": { "type": "date" @@ -83,34 +128,69 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -127,22 +207,42 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virtual_address": { "type": "long" @@ -157,22 +257,42 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -181,7 +301,12 @@ }, "entity_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "executable": { "fields": { @@ -199,23 +324,48 @@ "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -232,7 +382,12 @@ "properties": { "args": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "args_count": { "type": "long" @@ -241,26 +396,51 @@ "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" @@ -285,15 +465,30 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "creation_date": { "type": "date" @@ -305,34 +500,69 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -349,22 +579,42 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virtual_address": { "type": "long" @@ -379,22 +629,42 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -403,7 +673,12 @@ }, "entity_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "executable": { "fields": { @@ -421,23 +696,48 @@ "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -454,31 +754,66 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -501,7 +836,12 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -532,31 +872,66 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -579,7 +954,12 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -609,4 +989,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/redis.json b/salt/elasticsearch/templates/component/ecs/redis.json index 925f55c62..52d1b2cd3 100644 --- a/salt/elasticsearch/templates/component/ecs/redis.json +++ b/salt/elasticsearch/templates/component/ecs/redis.json @@ -12,7 +12,12 @@ "properties": { "role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -20,11 +25,21 @@ "properties": { "args": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cmd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "duration": { "properties": { @@ -38,7 +53,12 @@ }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/registry.json b/salt/elasticsearch/templates/component/ecs/registry.json index 7cfa34ad6..999f0afba 100644 --- a/salt/elasticsearch/templates/component/ecs/registry.json +++ b/salt/elasticsearch/templates/component/ecs/registry.json @@ -12,36 +12,66 @@ "properties": { "bytes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "strings": { "type": "wildcard" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hive": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/related.json b/salt/elasticsearch/templates/component/ecs/related.json index 1af1593c8..d20d80252 100644 --- a/salt/elasticsearch/templates/component/ecs/related.json +++ b/salt/elasticsearch/templates/component/ecs/related.json @@ -10,22 +10,37 @@ "properties": { "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hosts": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ip": { "type": "ip" }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/rule.json b/salt/elasticsearch/templates/component/ecs/rule.json index 400c64f6d..57c7007f7 100644 --- a/salt/elasticsearch/templates/component/ecs/rule.json +++ b/salt/elasticsearch/templates/component/ecs/rule.json @@ -10,47 +10,97 @@ "properties": { "author": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "license": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ruleset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/server.json b/salt/elasticsearch/templates/component/ecs/server.json index a7587e954..2255de092 100644 --- a/salt/elasticsearch/templates/component/ecs/server.json +++ b/salt/elasticsearch/templates/component/ecs/server.json @@ -10,7 +10,12 @@ "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "as": { "properties": { @@ -37,52 +42,107 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -91,7 +151,12 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat": { "properties": { @@ -111,25 +176,50 @@ }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -144,25 +234,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -175,7 +290,12 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -184,4 +304,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/service.json b/salt/elasticsearch/templates/component/ecs/service.json index 2fbdad6d4..5dfabc475 100644 --- a/salt/elasticsearch/templates/component/ecs/service.json +++ b/salt/elasticsearch/templates/component/ecs/service.json @@ -10,47 +10,92 @@ "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "environment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ephemeral_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "node": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json index c0c583e5f..1b4842547 100644 --- a/salt/elasticsearch/templates/component/ecs/snyk.json +++ b/salt/elasticsearch/templates/component/ecs/snyk.json @@ -15,11 +15,21 @@ }, "org_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -30,7 +40,12 @@ "properties": { "projects": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -38,32 +53,62 @@ "properties": { "credit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cvss3": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "disclosure_time": { "type": "date" }, "exploit_maturity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identifiers": { "properties": { "alternative": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cwe": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -90,22 +135,42 @@ }, "jira_issue_url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "language": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original_severity": { "type": "long" }, "package": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "package_manager": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "patches": { "type": "flattened" @@ -118,26 +183,51 @@ }, "reachability": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "semver": { "type": "flattened" }, "title": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "unique_severities_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/sophos.json b/salt/elasticsearch/templates/component/ecs/sophos.json index a5606f962..a4b4882ce 100644 --- a/salt/elasticsearch/templates/component/ecs/sophos.json +++ b/salt/elasticsearch/templates/component/ecs/sophos.json @@ -15,11 +15,21 @@ }, "Mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "PHPSESSID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Reports": { "type": "float" @@ -29,100 +39,210 @@ }, "SysLog_SERVER_NAME": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Temp": { "type": "float" }, "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "activityname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ap": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_is_cloud": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "appfilter_policy_id": { "type": "long" }, "application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_filter_policy": { "type": "long" }, "application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_risk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "application_technology": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "appresolvedby": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "auth_client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "auth_mechanism": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "av_policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "backup_mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "branch_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_host_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_physical_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "clients_conn_ssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "collisions": { "type": "long" @@ -135,39 +255,84 @@ }, "connectionname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connectiontype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connevent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "contenttype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "context_match": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "context_prefix": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "context_suffix": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cookie": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "date": { "type": "date" @@ -177,47 +342,102 @@ }, "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "device_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "device_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dictionary_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dir_disp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "domainname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "download_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "download_file_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_country_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_domainname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dst_ip": { "type": "ip" @@ -227,68 +447,138 @@ }, "dstdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstzone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dstzonetype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "duration": { "type": "long" }, "email_subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ep_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "eventid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "eventtime": { "type": "date" }, "eventtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exceptions": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "execution_path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extra": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_size": { "type": "long" }, "filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filepath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "filesize": { "type": "long" @@ -298,45 +588,90 @@ }, "from_email_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ftp_direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ftp_url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ftpcommand": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fw_rule_id": { "type": "long" }, "hb_health": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "httpresponsecode": { "type": "long" }, "iap": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "idle_cpu": { "type": "float" @@ -346,125 +681,270 @@ }, "idp_policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "in_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ipaddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ips_policy_id": { "type": "long" }, "localgateway": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "localnetwork": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "log_component": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "log_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "log_subtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "log_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "login_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mailid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mailsize": { "type": "long" }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "newversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "oldversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "out_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "override_authorizer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "override_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "override_token": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "platform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "policy_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "priority": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "quarantine": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "quarantine_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "querystring": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "raw_data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "received_pkts": { "type": "long" @@ -474,7 +954,12 @@ }, "receivederrors": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "receivedkbits": { "type": "long" @@ -484,25 +969,45 @@ }, "red_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "referer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "remote_ip": { "type": "ip" }, "remotenetwork": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "responsetime": { "type": "long" }, "rule_priority": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sent_bytes": { "type": "long" @@ -512,72 +1017,147 @@ }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sessionid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1sum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "site_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sourceip": { "type": "ip" }, "spamaction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sqli": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_country_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_domainname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_ip": { "type": "ip" }, "src_mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "src_port": { "type": "long" }, "srczone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "srczonetype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "start_time": { "type": "date" @@ -587,37 +1167,72 @@ }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "system_cpu": { "type": "float" }, "target": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "threatname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "to_email_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "total_memory": { "type": "long" @@ -636,81 +1251,156 @@ }, "transaction_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "transactionid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "transmitteddrops": { "type": "long" }, "transmittederrors": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "transmittedkbits": { "type": "long" }, "unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "updatedip": { "type": "ip" }, "upload_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "upload_file_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "used": { "type": "long" }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_cpu": { "type": "float" }, "user_gp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "users": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vconn_id": { "type": "long" }, "virus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "website": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "xss": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/source.json b/salt/elasticsearch/templates/component/ecs/source.json index 9408e0133..b2713b9b7 100644 --- a/salt/elasticsearch/templates/component/ecs/source.json +++ b/salt/elasticsearch/templates/component/ecs/source.json @@ -10,7 +10,12 @@ "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "as": { "properties": { @@ -37,52 +42,107 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -91,7 +151,12 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nat": { "properties": { @@ -111,25 +176,50 @@ }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -144,25 +234,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -175,7 +290,12 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -184,4 +304,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/suricata.json b/salt/elasticsearch/templates/component/ecs/suricata.json index d824294e9..6c56d13eb 100644 --- a/salt/elasticsearch/templates/component/ecs/suricata.json +++ b/salt/elasticsearch/templates/component/ecs/suricata.json @@ -14,118 +14,243 @@ "properties": { "affected_product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "attack_target": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "capec_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "classtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "created_at": { "type": "date" }, "cve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cvss_v2_base": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cvss_v2_temporal": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cvss_v3_base": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cvss_v3_temporal": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cwe_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "deployment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "former_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "gid": { "type": "long" }, "hostile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "infected": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "malware": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "metadata": { "type": "flattened" }, "mitre_tool_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "performance_impact": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "priority": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocols": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rev": { "type": "long" }, "rule_source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_id": { "type": "long" }, "signature_severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "updated_at": { "type": "date" @@ -134,19 +259,39 @@ }, "app_proto_expected": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_proto_orig": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_proto_tc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "app_proto_ts": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dns": { "properties": { @@ -155,19 +300,39 @@ }, "rcode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rrname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rrtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ttl": { "type": "long" @@ -177,7 +342,12 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -185,13 +355,23 @@ "properties": { "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "event_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fileinfo": { "properties": { @@ -200,19 +380,39 @@ }, "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "stored": { "type": "boolean" @@ -232,31 +432,61 @@ }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "flow_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "http": { "properties": { "http_content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "redirect": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -268,7 +498,12 @@ }, "in_iface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "pcap_cnt": { "type": "long" @@ -277,15 +512,30 @@ "properties": { "helo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mail_from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rcpt_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -295,11 +545,21 @@ "properties": { "proto_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "software_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -307,11 +567,21 @@ "properties": { "proto_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "software_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -757,22 +1027,42 @@ }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "syn": { "type": "boolean" }, "tcp_flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tcp_flags_tc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tcp_flags_ts": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -780,21 +1070,41 @@ "properties": { "fingerprint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuerdn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ja3": { "properties": { "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "string": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -802,11 +1112,21 @@ "properties": { "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "string": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -818,22 +1138,42 @@ }, "serial": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "session_resumed": { "type": "boolean" }, "sni": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, diff --git a/salt/elasticsearch/templates/component/ecs/syslog.json b/salt/elasticsearch/templates/component/ecs/syslog.json index c886589e9..c4f78bab8 100644 --- a/salt/elasticsearch/templates/component/ecs/syslog.json +++ b/salt/elasticsearch/templates/component/ecs/syslog.json @@ -13,14 +13,24 @@ }, "facility_label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "priority": { "type": "long" }, "severity_label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/threat.json b/salt/elasticsearch/templates/component/ecs/threat.json index 4bed345e1..924981a54 100644 --- a/salt/elasticsearch/templates/component/ecs/threat.json +++ b/salt/elasticsearch/templates/component/ecs/threat.json @@ -34,17 +34,32 @@ }, "confidence": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -55,32 +70,62 @@ }, "attributes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "code_signature": { "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" @@ -101,29 +146,59 @@ }, "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "directory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "drive_letter": { "ignore_above": 1, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "elf": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "creation_date": { "type": "date" @@ -135,34 +210,69 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -179,22 +289,42 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virtual_address": { "type": "long" @@ -209,87 +339,177 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "gid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "inode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mtime": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "owner": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "fields": { @@ -304,31 +524,66 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -346,47 +601,97 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -398,11 +703,21 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_exponent": { "doc_values": false, @@ -414,47 +729,97 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -467,46 +832,96 @@ "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -520,7 +935,12 @@ "properties": { "tlp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -532,11 +952,21 @@ }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registry": { "properties": { @@ -544,32 +974,62 @@ "properties": { "bytes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "strings": { "type": "wildcard" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hive": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -581,21 +1041,41 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "url": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fragment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full": { "fields": { @@ -615,7 +1095,12 @@ }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "type": "wildcard" @@ -625,27 +1110,57 @@ }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scheme": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -653,37 +1168,77 @@ "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -695,11 +1250,21 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_exponent": { "doc_values": false, @@ -711,47 +1276,97 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -762,23 +1377,48 @@ "properties": { "atomic": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "field": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "index": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -787,25 +1427,50 @@ }, "framework": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "group": { "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -833,17 +1498,32 @@ }, "confidence": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -854,32 +1534,62 @@ }, "attributes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "code_signature": { "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timestamp": { "type": "date" @@ -900,29 +1610,59 @@ }, "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "directory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "drive_letter": { "ignore_above": 1, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "elf": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "creation_date": { "type": "date" @@ -934,34 +1674,69 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -978,22 +1753,42 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "virtual_address": { "type": "long" @@ -1008,87 +1803,177 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "gid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "inode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mtime": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "owner": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "fields": { @@ -1103,31 +1988,66 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1145,47 +2065,97 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1197,11 +2167,21 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_exponent": { "doc_values": false, @@ -1213,47 +2193,97 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -1266,46 +2296,96 @@ "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1319,7 +2399,12 @@ "properties": { "tlp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1331,11 +2416,21 @@ }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registry": { "properties": { @@ -1343,32 +2438,62 @@ "properties": { "bytes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "strings": { "type": "wildcard" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hive": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1380,21 +2505,41 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "url": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fragment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full": { "fields": { @@ -1414,7 +2559,12 @@ }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "type": "wildcard" @@ -1424,27 +2574,57 @@ }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scheme": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1452,37 +2632,77 @@ "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1494,11 +2714,21 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_exponent": { "doc_values": false, @@ -1510,47 +2740,97 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -1560,27 +2840,57 @@ "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "platforms": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1588,15 +2898,30 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1604,7 +2929,12 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -1617,13 +2947,23 @@ }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subtechnique": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -1636,7 +2976,12 @@ }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -1647,4 +2992,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/tls.json b/salt/elasticsearch/templates/component/ecs/tls.json index 413f217ad..23d31be30 100644 --- a/salt/elasticsearch/templates/component/ecs/tls.json +++ b/salt/elasticsearch/templates/component/ecs/tls.json @@ -10,41 +10,81 @@ "properties": { "cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client": { "properties": { "certificate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "certificate_chain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "issuer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ja3": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "not_after": { "type": "date" @@ -54,51 +94,106 @@ }, "server_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "supported_ciphers": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -110,11 +205,21 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_exponent": { "doc_values": false, @@ -126,47 +231,97 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -174,14 +329,24 @@ }, "curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "established": { "type": "boolean" }, "next_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resumed": { "type": "boolean" @@ -190,35 +355,70 @@ "properties": { "certificate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "certificate_chain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "issuer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ja3s": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "not_after": { "type": "date" @@ -228,43 +428,88 @@ }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -276,11 +521,21 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "public_key_exponent": { "doc_values": false, @@ -292,47 +547,97 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -340,15 +645,25 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/tracing.json b/salt/elasticsearch/templates/component/ecs/tracing.json index 7db45e4a2..2dce6b804 100644 --- a/salt/elasticsearch/templates/component/ecs/tracing.json +++ b/salt/elasticsearch/templates/component/ecs/tracing.json @@ -10,7 +10,12 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -18,7 +23,12 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -26,11 +36,16 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/url.json b/salt/elasticsearch/templates/component/ecs/url.json index efdaed1fb..4bb114c31 100644 --- a/salt/elasticsearch/templates/component/ecs/url.json +++ b/salt/elasticsearch/templates/component/ecs/url.json @@ -10,15 +10,30 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fragment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full": { "fields": { @@ -38,7 +53,12 @@ }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "type": "wildcard" @@ -48,31 +68,61 @@ }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scheme": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/user.json b/salt/elasticsearch/templates/component/ecs/user.json index 1ad4bac67..6f3215c0b 100644 --- a/salt/elasticsearch/templates/component/ecs/user.json +++ b/salt/elasticsearch/templates/component/ecs/user.json @@ -12,11 +12,21 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -31,25 +41,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -62,23 +97,43 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "effective": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -93,25 +148,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -124,13 +204,23 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -145,25 +235,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -176,17 +291,32 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "target": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full_name": { "fields": { @@ -201,25 +331,50 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -232,7 +387,12 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -241,4 +401,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/user_agent.json b/salt/elasticsearch/templates/component/ecs/user_agent.json index 9a0517e6d..26885d0a9 100644 --- a/salt/elasticsearch/templates/component/ecs/user_agent.json +++ b/salt/elasticsearch/templates/component/ecs/user_agent.json @@ -12,13 +12,23 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "original": { "fields": { @@ -33,7 +43,12 @@ "properties": { "family": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "full": { "fields": { @@ -46,7 +61,12 @@ }, "kernel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "fields": { @@ -59,25 +79,45 @@ }, "platform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/vulnerability.json b/salt/elasticsearch/templates/component/ecs/vulnerability.json index d7d8db4d6..b10870f84 100644 --- a/salt/elasticsearch/templates/component/ecs/vulnerability.json +++ b/salt/elasticsearch/templates/component/ecs/vulnerability.json @@ -10,11 +10,21 @@ "properties": { "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "description": { "fields": { @@ -27,25 +37,50 @@ }, "enumeration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "report_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "scanner": { "properties": { "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -62,17 +97,27 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/winlog.json b/salt/elasticsearch/templates/component/ecs/winlog.json index a724eefb1..6802a2176 100644 --- a/salt/elasticsearch/templates/component/ecs/winlog.json +++ b/salt/elasticsearch/templates/component/ecs/winlog.json @@ -9,7 +9,12 @@ { "winlog.event_data": { "mapping": { - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "match_mapping_type": "string", "path_match": "winlog.event_data.*" @@ -18,7 +23,12 @@ { "winlog.user_data": { "mapping": { - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "match_mapping_type": "string", "path_match": "winlog.user_data.*" @@ -30,475 +40,1060 @@ "properties": { "activity_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "api": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "channel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "computer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "event_data": { "properties": { "AuthenticationPackageName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Binary": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "BitlockerUserInputTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "BootMode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "BootType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "BuildVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "CorruptionActionState": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "CreationUtcTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Detail": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DeviceName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DeviceNameLength": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DeviceTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DeviceVersionMajor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DeviceVersionMinor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DriveName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DriverName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DriverNameLength": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "DwordVal": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "EntryCount": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ExtraInfo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "FailureName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "FailureNameLength": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "FileVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "FinalStatus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "IdleImplementation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "IdleStateCount": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ImpersonationLevel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "IntegrityLevel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "IpAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "IpPort": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "KeyLength": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LastBootGood": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LastShutdownGood": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LmPackageName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LogonGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LogonId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LogonProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "LogonType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MajorVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MaximumPerformancePercent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MemberName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MemberSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MinimumPerformancePercent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MinimumThrottlePercent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "MinorVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "NewProcessId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "NewProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "NewSchemeGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "NewTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "NominalFrequency": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "OldSchemeGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "OldTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "OriginalFileName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "PerformanceImplementation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "PreviousCreationUtcTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "PreviousTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "PrivilegeList": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ProcessId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ProcessPath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ProcessPid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "PuaCount": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "PuaPolicyId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "QfeVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SchemaVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ScriptBlockText": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ServiceName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ServiceVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ShutdownActionType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ShutdownEventCode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ShutdownReason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SignatureStatus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Signed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "StartTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "State": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "StopTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SubjectDomainName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SubjectLogonId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SubjectUserName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "SubjectUserSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TSId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetDomainName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetInfo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetLogonGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetLogonId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetServerName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetUserName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TargetUserSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TerminalSessionId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TokenElevationType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "TransmittedServices": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "UserSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "Workstation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "param1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "param2": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "param3": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "param4": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "param5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "param6": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "param7": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "param8": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "event_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "keywords": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "logon": { "properties": { @@ -506,31 +1101,61 @@ "properties": { "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sub_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "opcode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "process": { "properties": { @@ -548,23 +1173,48 @@ }, "provider_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "provider_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "record_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "related_activity_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "task": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "time_created": { "type": "date" @@ -573,19 +1223,39 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identifier": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, diff --git a/salt/elasticsearch/templates/component/ecs/zeek.json b/salt/elasticsearch/templates/component/ecs/zeek.json index 720199001..d9dd7aa32 100644 --- a/salt/elasticsearch/templates/component/ecs/zeek.json +++ b/salt/elasticsearch/templates/component/ecs/zeek.json @@ -18,7 +18,12 @@ }, "peer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "percent_lost": { "type": "double" @@ -32,7 +37,12 @@ "properties": { "history": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp": { "properties": { @@ -58,11 +68,21 @@ }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "vlan": { "type": "long" @@ -73,15 +93,30 @@ "properties": { "endpoint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "named_pipe": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "operation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rtt": { "type": "long" @@ -100,7 +135,12 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "requested": { "type": "ip" @@ -112,32 +152,62 @@ }, "client_fqdn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "duration": { "type": "double" }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "id": { "properties": { "circuit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "remote_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subscriber": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -148,18 +218,33 @@ "properties": { "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "origin": { "type": "ip" }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -167,11 +252,21 @@ "properties": { "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -183,11 +278,21 @@ "properties": { "reply": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -215,32 +320,57 @@ }, "answers": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "qclass": { "type": "long" }, "qclass_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "qtype": { "type": "long" }, "qtype_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rcode": { "type": "long" }, "rcode_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rejected": { "type": "boolean" @@ -262,7 +392,12 @@ }, "trans_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -270,15 +405,30 @@ "properties": { "analyzer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "failure_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "packet_segment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -286,7 +436,12 @@ "properties": { "analyzers": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "depth": { "type": "long" @@ -299,7 +454,12 @@ }, "extracted": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "extracted_cutoff": { "type": "boolean" @@ -309,11 +469,21 @@ }, "filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "is_orig": { "type": "boolean" @@ -323,11 +493,21 @@ }, "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "missing_bytes": { "type": "long" @@ -337,7 +517,12 @@ }, "parent_fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rx_host": { "type": "ip" @@ -347,19 +532,39 @@ }, "session_ids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "timedout": { "type": "boolean" @@ -376,7 +581,12 @@ "properties": { "arg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "capture_password": { "type": "boolean" @@ -385,11 +595,21 @@ "properties": { "arg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cmd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "seq": { "type": "long" @@ -398,11 +618,21 @@ }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cwd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "data_channel": { "properties": { @@ -424,11 +654,21 @@ "properties": { "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "size": { "type": "long" @@ -437,14 +677,24 @@ }, "last_auth_requested": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "passive": { "type": "boolean" }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "pending_commands": { "type": "long" @@ -456,13 +706,23 @@ }, "msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -473,67 +733,132 @@ }, "client_header_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "info_code": { "type": "long" }, "info_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "orig_filenames": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "orig_fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "orig_mime_depth": { "type": "long" }, "orig_mime_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "proxied": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "range_request": { "type": "boolean" }, "resp_filenames": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resp_fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resp_mime_depth": { "type": "long" }, "resp_mime_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "server_header_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "trans_depth": { "type": "long" @@ -544,62 +869,127 @@ "properties": { "file_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file_mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "matched": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "seen": { "properties": { "conn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "f": { "type": "object" }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "indicator": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "indicator_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "node": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "where": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "sources": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -607,11 +997,21 @@ "properties": { "addl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dcc": { "properties": { @@ -619,7 +1019,12 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "size": { "type": "long" @@ -628,25 +1033,50 @@ }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "nick": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -658,15 +1088,30 @@ "properties": { "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -674,15 +1119,30 @@ "properties": { "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -690,11 +1150,21 @@ }, "cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "error": { "properties": { @@ -703,7 +1173,12 @@ }, "msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -715,11 +1190,21 @@ }, "request_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "success": { "type": "boolean" @@ -728,11 +1213,21 @@ "properties": { "auth": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "new": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -755,11 +1250,21 @@ "properties": { "exception": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "function": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "track_address": { "type": "long" @@ -770,15 +1275,30 @@ "properties": { "arg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cmd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "response": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "rows": { "type": "long" @@ -792,11 +1312,21 @@ "properties": { "actions": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "connection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "dropped": { "type": "boolean" @@ -807,7 +1337,12 @@ }, "email_delay_tokens": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "false": { "type": "long" @@ -823,14 +1358,24 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "is_orig": { "type": "boolean" }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "missing_bytes": { "type": "long" @@ -840,36 +1385,71 @@ }, "parent_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "seen_bytes": { "type": "long" }, "source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "icmp_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identifier": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "note": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "peer_descr": { "norms": false, @@ -877,11 +1457,21 @@ }, "peer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sub": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "suppress_for": { "type": "double" @@ -892,11 +1482,21 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "server": { "properties": { @@ -904,15 +1504,30 @@ "properties": { "dns": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "netbios": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tree": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -923,7 +1538,12 @@ }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -949,7 +1569,12 @@ }, "ref_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ref_time": { "type": "date" @@ -975,23 +1600,43 @@ "properties": { "file_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "hash": { "properties": { "algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -1001,7 +1646,12 @@ "properties": { "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "time": { "type": "date" @@ -1010,11 +1660,21 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "update": { "properties": { @@ -1032,7 +1692,12 @@ "properties": { "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "compile_time": { "type": "date" @@ -1051,7 +1716,12 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "is_64bit": { "type": "boolean" @@ -1061,19 +1731,39 @@ }, "machine": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "section_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subsystem": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uses_aslr": { "type": "boolean" @@ -1093,7 +1783,12 @@ "properties": { "connect_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "framed_addr": { "type": "ip" @@ -1103,25 +1798,45 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "remote_ip": { "type": "ip" }, "reply_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ttl": { "type": "long" }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1137,7 +1852,12 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1145,27 +1865,52 @@ "properties": { "build": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "product_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "cookie": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "desktop": { "properties": { "color_depth": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "height": { "type": "long" @@ -1182,25 +1927,50 @@ "properties": { "level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "keyboard_layout": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "security_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ssl": { "type": "boolean" @@ -1213,7 +1983,12 @@ "properties": { "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "success": { "type": "boolean" @@ -1222,7 +1997,12 @@ }, "desktop_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "height": { "type": "long" @@ -1236,11 +2016,21 @@ "properties": { "major": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "minor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1248,11 +2038,21 @@ "properties": { "major": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "minor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -1265,31 +2065,56 @@ }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature": { "properties": { "event_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "host_count": { "type": "long" }, "note": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sig_count": { "type": "long" }, "sig_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sub_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1297,19 +2122,39 @@ "properties": { "call_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "date": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reply_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request": { "properties": { @@ -1318,15 +2163,30 @@ }, "from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1337,15 +2197,30 @@ }, "from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1353,11 +2228,21 @@ "properties": { "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1368,28 +2253,53 @@ }, "msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "transaction_depth": { "type": "long" }, "uri": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "warning": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1397,17 +2307,32 @@ "properties": { "argument": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "file": { "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "host": { "properties": { @@ -1421,11 +2346,21 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1434,34 +2369,69 @@ }, "smb1_offered_dialects": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "smb2_offered_dialects": { "type": "long" }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "sub_command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tree": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tree_service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1469,22 +2439,42 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fid": { "type": "long" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "previous_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "size": { "type": "long" @@ -1507,7 +2497,12 @@ }, "uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1515,19 +2510,39 @@ "properties": { "native_file_system": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "share_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1535,48 +2550,93 @@ "properties": { "cc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "date": { "type": "date" }, "first_received": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "has_client_activity": { "type": "boolean" }, "helo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "in_reply_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "is_webmail": { "type": "boolean" }, "last_reply": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mail_from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "msg_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "path": { "type": "ip" @@ -1586,37 +2646,72 @@ }, "rcpt_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reply_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "second_received": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "tls": { "type": "boolean" }, "to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "transaction_depth": { "type": "long" }, "user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "x_originating_ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1624,11 +2719,21 @@ "properties": { "community": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "display_string": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "duration": { "type": "double" @@ -1658,7 +2763,12 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1668,7 +2778,12 @@ "properties": { "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "port": { "type": "long" @@ -1680,13 +2795,23 @@ }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "request": { "properties": { "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "port": { "type": "long" @@ -1695,11 +2820,21 @@ }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "type": "long" @@ -1712,23 +2847,48 @@ "properties": { "cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "compression": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "host_key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "key_exchange": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1744,19 +2904,39 @@ }, "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "host_key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "version": { "type": "long" @@ -1767,43 +2947,88 @@ "properties": { "cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "client": { "properties": { "cert_chain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cert_chain_fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -1811,27 +3036,57 @@ "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -1839,18 +3094,33 @@ }, "curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "established": { "type": "boolean" }, "last_alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "next_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "resumed": { "type": "boolean" @@ -1859,69 +3129,144 @@ "properties": { "cert_chain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "cert_chain_fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } @@ -1931,17 +3276,32 @@ "properties": { "code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -2036,7 +3396,12 @@ }, "peer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "reassembly_size": { "properties": { @@ -2073,15 +3438,30 @@ "properties": { "facility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -2089,11 +3469,21 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -2101,22 +3491,42 @@ "properties": { "additional_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "identifier": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "notice": { "type": "boolean" }, "peer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -2136,41 +3546,86 @@ "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "exponent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -2178,50 +3633,100 @@ "properties": { "algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "length": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, "serial": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } }, @@ -2242,7 +3747,12 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "log_cert": { "type": "boolean" @@ -2251,11 +3761,21 @@ "properties": { "dns": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } }, "ip": { "type": "ip" @@ -2265,7 +3785,12 @@ }, "uri": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } } } } diff --git a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json index 7ae4ae86c..2b9e4978a 100644 --- a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json +++ b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json @@ -1,56 +1,55 @@ { - "template": { - "mappings": { - "dynamic_templates": [ - { - "ip_address": { - "path_match": "*.ip", - "mapping": { - "type": "ip", - "fields": { - "keyword": { - "ignore_above": 45, - "type": "keyword" - } - } - }, - "match_mapping_type": "string" - } - }, - { - "port": { - "path_match": "*.port", - "path_unmatch": "*.data.port", - "mapping": { - "type": "integer", - "fields": { - "keyword": { - "ignore_above": 6, - "type": "keyword" - } - } - } - } - }, - { - "strings": { - "mapping": { - "type": "text", - "fields": { - "security": { - "analyzer": "es_security_analyzer", - "type": "text" - }, - "keyword": { - "ignore_above": 32765, - "type": "keyword" - } - } - }, - "match_mapping_type": "string" + "template": { + "mappings": { + "dynamic_templates": [ + { + "ip_address": { + "path_match": "*.ip", + "mapping": { + "type": "ip", + "fields": { + "keyword": { + "ignore_above": 45, + "type": "keyword" } } - ] + }, + "match_mapping_type": "string" + } + }, + { + "port": { + "path_match": "*.port", + "path_unmatch": "*.data.port", + "mapping": { + "type": "integer", + "fields": { + "keyword": { + "ignore_above": 6, + "type": "keyword" + } + } + } + } + }, + { + "strings": { + "mapping": { + "type": "text", + "fields": { + "text": { + "type": "match_only_text" + }, + "keyword": { + "ignore_above": 32765, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" } } + ] + } + } } From 1392fc37e8280d2649691d74269df7894d0d29e7 Mon Sep 17 00:00:00 2001 From: doug Date: Tue, 22 Feb 2022 17:00:52 -0500 Subject: [PATCH 03/15] FIX: curator should exclude so-case* indices #7270 --- .../files/bin/so-curator-closed-delete-delete | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index eb38c73dc..b872a7aeb 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -34,9 +34,13 @@ overlimit() { closedindices() { - INDICES=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null) + # If we can't query Elasticsearch, then immediately return false. + {{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1 [ $? -eq 1 ] && return false - echo ${INDICES} | grep -q -E "(logstash-|so-)" + # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. + # Next, filter out any so-case indices. + # Finally, use grep's -q option to return true if there are any remaining logstash- or so- indices. + {{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)" } # Check for 2 conditions: @@ -47,9 +51,10 @@ while overlimit && closedindices; do # We need to determine OLDEST_INDEX: # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. - # Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field. + # Next, filter out any so-case indices and only select the remaining logstash- or so- indices. + # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. # Finally, select the first entry in that sorted list. - OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) + OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) # Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it. {{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} From c4cc3fa35fc7afcb333201458b937a83ca943d58 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 23 Feb 2022 10:47:37 -0500 Subject: [PATCH 04/15] Update so-functions --- setup/so-functions | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 91244a7cc..96c464f3c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1837,6 +1837,15 @@ manager_global() { " warm: 7"\ " close: 30"\ " delete: 365"\ + " so-endgame:"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ " so-firewall:"\ " index_template:"\ " template:"\ From 6a0ecb9e9cb72bf4cd815d3e4243ca303372c719 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 23 Feb 2022 12:13:46 -0500 Subject: [PATCH 05/15] Add IDH and Kratos index templates --- salt/elasticsearch/defaults.yaml | 150 +++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 7d6867024..d3b915a15 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1606,6 +1606,81 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + so-idh: + warm: 7 + close: 30 + delete: 365 + index_sorting: False + index_template: + index_patterns: + - so-idh-* + template: + mappings: + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + date_detection: false + settings: + index: + mapping: + total_fields: + limit: 3000 + sort: + field: "@timestamp" + order: desc + refresh_interval: 30s + number_of_shards: 1 + number_of_replicas: 0 + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - container-mappings + - destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - threat-mappings + - tls-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - common-settings + - common-dynamic-mappings + priority: 500 so-ids: index_sorting: False index_template: @@ -2079,6 +2154,81 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + so-kratos: + warm: 7 + close: 30 + delete: 365 + index_sorting: False + index_template: + index_patterns: + - so-kratos-* + template: + mappings: + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + date_detection: false + settings: + index: + mapping: + total_fields: + limit: 3000 + sort: + field: "@timestamp" + order: desc + refresh_interval: 30s + number_of_shards: 1 + number_of_replicas: 0 + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - container-mappings + - destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - threat-mappings + - tls-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - common-settings + - common-dynamic-mappings + priority: 500 so-logstash: index_sorting: False index_template: From 585c275df68a3d375b4a4b43765dfc57df77af5a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 23 Feb 2022 19:35:10 -0500 Subject: [PATCH 06/15] UC true --- salt/playbook/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 81db5205c..57f9afb24 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -117,7 +117,7 @@ idh-plays: - source: salt://idh/plays - makedirs: True cmd.run: - - name: so-playbook-import true + - name: so-playbook-import True - onchanges: - file: /opt/so/conf/soctopus/sigma-import {% endif %} From a22e4700383fc8b5e400d6fb39537f2e8057f89c Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 24 Feb 2022 09:20:44 -0500 Subject: [PATCH 07/15] Add Kibana dashboard updates for 2.3.110 --- salt/common/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b036c4cc6..1d73fbc2a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -471,6 +471,12 @@ post_to_2.3.100() { salt-call state.apply kibana.so_savedobjects_defaults queue=True } +post_to_2.3.110() { + echo "Post Processing for 2.3.110" + echo "Updating Kibana dashboards" + salt-call state.apply kibana.so_savedobjects_defaults queue=True +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e From 7f08ecdcbeb86da66ee442e466c7462ed9e375d2 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 24 Feb 2022 09:25:15 -0500 Subject: [PATCH 08/15] Add function reference for .110 post changes --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1d73fbc2a..6e31c206f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -416,6 +416,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.40 || "$POSTVERSION" == 2.3.50 || "$POSTVERSION" == 2.3.51 || "$POSTVERSION" == 2.3.52 ]] && post_to_2.3.60 [[ "$POSTVERSION" == 2.3.60 || "$POSTVERSION" == 2.3.61 || "$POSTVERSION" == 2.3.70 || "$POSTVERSION" == 2.3.80 ]] && post_to_2.3.90 [[ "$POSTVERSION" == 2.3.90 || "$POSTVERSION" == 2.3.91 ]] && post_to_2.3.100 + || "$POSTVERSION" == 2.3.100 ]] && post_to_2.3.110 true } From 582bf4c64c1e43e47015aefd525e226a9e42dd3a Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 24 Feb 2022 09:25:59 -0500 Subject: [PATCH 09/15] Remove dashboard updates for .100 so we don't run twice --- salt/common/tools/sbin/soup | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 6e31c206f..964b573af 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -466,12 +466,6 @@ post_to_2.3.90() { POSTVERSION=2.3.90 } -post_to_2.3.100() { - echo "Post Processing for 2.3.100" - echo "Updating Kibana dashboards" - salt-call state.apply kibana.so_savedobjects_defaults queue=True -} - post_to_2.3.110() { echo "Post Processing for 2.3.110" echo "Updating Kibana dashboards" From 45ccfc5ad436482cb590d08f9e03447faebe15dd Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 24 Feb 2022 09:35:43 -0500 Subject: [PATCH 10/15] Add back post to .100 and call for .110 --- salt/common/tools/sbin/soup | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 964b573af..d713c5b04 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -416,7 +416,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.40 || "$POSTVERSION" == 2.3.50 || "$POSTVERSION" == 2.3.51 || "$POSTVERSION" == 2.3.52 ]] && post_to_2.3.60 [[ "$POSTVERSION" == 2.3.60 || "$POSTVERSION" == 2.3.61 || "$POSTVERSION" == 2.3.70 || "$POSTVERSION" == 2.3.80 ]] && post_to_2.3.90 [[ "$POSTVERSION" == 2.3.90 || "$POSTVERSION" == 2.3.91 ]] && post_to_2.3.100 - || "$POSTVERSION" == 2.3.100 ]] && post_to_2.3.110 + [[ "$POSTVERSION" == 2.3.100 ]] && post_to_2.3.110 true } @@ -466,6 +466,10 @@ post_to_2.3.90() { POSTVERSION=2.3.90 } +post_to_2.3.110() { + echo "Post Processing for 2.3.100" +} + post_to_2.3.110() { echo "Post Processing for 2.3.110" echo "Updating Kibana dashboards" From bc1794e4373e12e207dd6695e29e2aecc311a457 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 24 Feb 2022 09:42:14 -0500 Subject: [PATCH 11/15] Fix function name --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d713c5b04..33649ab63 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -466,7 +466,7 @@ post_to_2.3.90() { POSTVERSION=2.3.90 } -post_to_2.3.110() { +post_to_2.3.100() { echo "Post Processing for 2.3.100" } From 23fb62c0d645c4f8525e9d2d678c80d48f3a5b9d Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 24 Feb 2022 12:52:25 -0500 Subject: [PATCH 12/15] Split Zeek DNS records into a separate index --- salt/elasticsearch/files/ingest/zeek.dns | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index 533c63611..aaedaca74 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -23,6 +23,7 @@ { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, + { "set": { "field": "_index", "value": "so-zeek_dns", "override": true } }, { "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } }, { "pipeline": { "name": "zeek.common" } } ] From 0f8a39002ffe5411964020f51e20d6aad4811e38 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 24 Feb 2022 19:39:52 +0000 Subject: [PATCH 13/15] Add .text subfield mappings for DTC where fields are defined --- .../component/so/dtc-agent-mappings.json | 15 ++++++++++ .../component/so/dtc-base-mappings.json | 6 ++++ .../component/so/dtc-dns-mappings.json | 5 +++- .../component/so/dtc-ecs-mappings.json | 3 ++ .../component/so/dtc-event-mappings.json | 30 +++++++++++++++++-- .../component/so/dtc-file-mappings.json | 6 ++++ .../component/so/dtc-host-mappings.json | 8 ++++- .../component/so/dtc-http-mappings.json | 6 ++++ .../component/so/dtc-network-mappings.json | 16 ++++++---- .../component/so/dtc-observer-mappings.json | 5 +++- .../component/so/dtc-process-mappings.json | 2 +- .../component/so/dtc-rule-mappings.json | 18 +++++++---- .../component/so/dtc-service-mappings.json | 6 ++++ .../component/so/dtc-user-mappings.json | 4 +-- 14 files changed, 110 insertions(+), 20 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json index 60e344946..a0ec531a7 100644 --- a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json @@ -12,6 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -21,6 +24,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -30,6 +36,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -39,6 +48,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -48,6 +60,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json index ff3b73792..aa89e8876 100644 --- a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json @@ -9,6 +9,9 @@ "message": { "type": "match_only_text", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -18,6 +21,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json index d5a498669..ba60fb6a9 100644 --- a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json @@ -14,7 +14,10 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "keyword": { + "text": { + "type": "match_only_text" + }, + "keyword": { "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json index 521d4944f..347b9b5a8 100644 --- a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json @@ -12,6 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json index d3e577267..d0c2227ba 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -12,6 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -20,6 +23,9 @@ "created": { "type": "date", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -29,14 +35,20 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { - "type": "keyword" - } + "type": "keyword" + } } }, "ingested": { "type": "date", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -45,7 +57,10 @@ "module": { "ignore_above": 1024, "type": "keyword", - "fields": { + "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -55,6 +70,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -64,6 +82,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -73,6 +94,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json index af090a0b0..0698dd978 100644 --- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -12,6 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -21,6 +24,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json index 064ce850c..79a4eb682 100644 --- a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -12,15 +12,21 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } } }, - "mac": { + "mac": { "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json index 1b504900a..d51ebe195 100644 --- a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json @@ -14,6 +14,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -23,6 +26,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json index b42fe9771..f8adccf28 100644 --- a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json @@ -12,6 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -20,11 +23,14 @@ "transport": { "ignore_above": 1024, "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } + "fields": { + "text": { + "type": "match_only_text" + }, + "keyword": { + "type": "keyword" + } + } } } } diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json index bd7e7f3bd..181496fe4 100644 --- a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json @@ -11,7 +11,10 @@ "name": { "ignore_above": 1024, "type": "keyword", - "fields": { + "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json index 688aec92c..f0bf6c70b 100644 --- a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -20,7 +20,7 @@ "type": "wildcard" } } - } + } } } } diff --git a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json index d2df0127b..0d0bd8bd8 100644 --- a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json @@ -11,16 +11,22 @@ "category": { "ignore_above": 1024, "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } + "fields": { + "text": { + "type": "match_only_text" + }, + "keyword": { + "type": "keyword" + } + } }, "name": { "ignore_above": 1024, "type": "keyword", - "fields": { + "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json index 76bfc274b..7c76cc2db 100644 --- a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json @@ -12,6 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } @@ -21,6 +24,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { + "text": { + "type": "match_only_text" + }, "keyword": { "type": "keyword" } diff --git a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json index 3d0c3086a..92ef1e0df 100644 --- a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json @@ -14,8 +14,8 @@ "type": "match_only_text" }, "keyword": { - "type": "keyword" - } + "type": "keyword" + } }, "ignore_above": 1024, "type": "keyword" From 8b61d4818dddee6deb678b2f6f5d2d0727cd2134 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 24 Feb 2022 14:47:14 -0500 Subject: [PATCH 14/15] change name of selinux policy state for idh node --- salt/idh/openssh/config.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/idh/openssh/config.sls b/salt/idh/openssh/config.sls index 2112aa334..d358bb5be 100644 --- a/salt/idh/openssh/config.sls +++ b/salt/idh/openssh/config.sls @@ -4,9 +4,8 @@ include: - idh.openssh {% if grains.os_family == 'RedHat' %} -sshd_selinux: +idh_sshd_selinux: selinux.port_policy_present: - - name: tcp/{{ openssh_map.config.port }} - port: {{ openssh_map.config.port }} - protocol: tcp - sel_type: ssh_port_t From 0970bbc983ccb2263c442d4d8a59d0b659e4d0f1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 24 Feb 2022 17:55:50 -0500 Subject: [PATCH 15/15] default to false if local role doesnt exist --- salt/firewall/map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 496e6f568..2c7d03225 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -37,7 +37,7 @@ {% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %} {% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %} -{% if local_assigned_hostgroups.role[role] %} +{% if local_assigned_hostgroups.role.get(role, False) %} {% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=False, in_place=False) %} {% else %} {% set assigned_hostgroups = default_assigned_hostgroups.role[role] %} @@ -45,4 +45,4 @@ {% if translated_pillar_assigned_hostgroups %} {% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %} -{% endif %} \ No newline at end of file +{% endif %}