CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into delta

Browse Source
This commit is contained in:
Josh Brower
2022-02-24 19:58:10 -05:00
parent cf7325a546 8302c45059
commit 4a597b9f0e
84 changed files with 19726 additions and 3346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
salt/common/tools/sbin/soup
View File

@@ -416,6 +416,7 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.3.40 || "$POSTVERSION" == 2.3.50 || "$POSTVERSION" == 2.3.51 || "$POSTVERSION" == 2.3.52 ]] && post_to_2.3.60
[[ "$POSTVERSION" == 2.3.60 || "$POSTVERSION" == 2.3.61 || "$POSTVERSION" == 2.3.70 || "$POSTVERSION" == 2.3.80 ]] && post_to_2.3.90
[[ "$POSTVERSION" == 2.3.90 || "$POSTVERSION" == 2.3.91 ]] && post_to_2.3.100
[[ "$POSTVERSION" == 2.3.100 ]] && post_to_2.3.110
true
}
@@ -467,6 +468,10 @@ post_to_2.3.90() {
post_to_2.3.100() {
echo "Post Processing for 2.3.100"
}
post_to_2.3.110() {
echo "Post Processing for 2.3.110"
echo "Updating Kibana dashboards"
salt-call state.apply kibana.so_savedobjects_defaults queue=True
}

13
salt/curator/files/bin/so-curator-closed-delete-delete
View File

@@ -34,9 +34,13 @@ overlimit() {
closedindices() {
INDICES=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null)
# If we can't query Elasticsearch, then immediately return false.
{{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1
[ $? -eq 1 ] && return false
echo ${INDICES} | grep -q -E "(logstash-|so-)"
# First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed.
# Next, filter out any so-case indices.
# Finally, use grep's -q option to return true if there are any remaining logstash- or so- indices.
{{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)"
}
# Check for 2 conditions:
@@ -47,9 +51,10 @@ while overlimit && closedindices; do
# We need to determine OLDEST_INDEX:
# First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed.
# Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field.
# Next, filter out any so-case indices and only select the remaining logstash- or so- indices.
# Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field.
# Finally, select the first entry in that sorted list.
OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1)
# Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it.
{{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}

150
salt/elasticsearch/defaults.yaml
View File

@@ -1606,6 +1606,81 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
so-idh:
warm: 7
close: 30
delete: 365
index_sorting: False
index_template:
index_patterns:
- so-idh-*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 3000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- container-mappings
- destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
priority: 500
so-ids:
index_sorting: False
index_template:
@@ -2079,6 +2154,81 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
priority: 500
so-kratos:
warm: 7
close: 30
delete: 365
index_sorting: False
index_template:
index_patterns:
- so-kratos-*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 3000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- container-mappings
- destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
priority: 500
so-logstash:
index_sorting: False
index_template:

170
salt/elasticsearch/files/ingest/syslog
View File

@@ -2,35 +2,147 @@
"description" : "syslog",
"processors" : [
{
"dissect": {
"field": "message",
"pattern" : "%{message}",
"on_failure": [ { "drop" : { } } ]
"dissect": {
"field": "message",
"pattern" : "%{message}",
"on_failure": [ { "drop" : { } } ]
},
"remove": {
"field": [ "type", "agent" ],
"ignore_failure": true
}
}, {
"grok": {
"field": "message",
"patterns": [
"^<%{INT:syslog.priority:int}>%{TIMESTAMP_ISO8601:syslog.timestamp} +%{IPORHOST:syslog.host} +%{PROG:syslog.program}(?:\\[%{POSINT:syslog.pid:int}\\])?: %{GREEDYDATA:real_message}$",
"^<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}(\\[%{DATA:pid}\\])?: %{GREEDYDATA:real_message}$",
"^%{SYSLOGTIMESTAMP:syslog.timestamp} %{SYSLOGHOST:syslog.host} %{SYSLOGPROG:syslog.program}: CEF:0\\|%{DATA:vendor}\\|%{DATA:product}\\|%{GREEDYDATA:message2}$"
],
"ignore_failure": true
}
}, {
"script": {
"description": "Map syslog priority into facility and level",
"lang": "painless",
"params" : {
"level": [
"emerg",
"alert",
"crit",
"err",
"warn",
"notice",
"info",
"debug"
],
"facility" : [
"kern",
"user",
"mail",
"daemon",
"auth",
"syslog",
"lpr",
"news",
"uucp",
"cron",
"authpriv",
"ftp",
"ntp",
"security",
"console",
"solaris-cron",
"local0",
"local1",
"local2",
"local3",
"local4",
"local5",
"local6",
"local7"
]
},
"remove": {
"field": [ "type", "agent" ],
"ignore_failure": true
}
},
{
"grok":
{
"field": "message",
"patterns": [
"^<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}(\\[%{DATA:pid}\\])?: %{GREEDYDATA:real_message}$",
"^%{SYSLOGTIMESTAMP:syslog.timestamp} %{SYSLOGHOST:syslog.host} %{SYSLOGPROG:syslog.program}: CEF:0\\|%{DATA:vendor}\\|%{DATA:product}\\|%{GREEDYDATA:message2}$"
],
"ignore_failure": true
}
},
{ "set": { "if": "ctx.source?.application == 'filterlog'", "field": "dataset", "value": "firewall", "ignore_failure": true } },
{ "set": { "if": "ctx.vendor != null", "field": "module", "value": "{{ vendor }}", "ignore_failure": true } },
{ "set": { "if": "ctx.product != null", "field": "dataset", "value": "{{ product }}", "ignore_failure": true } },
{ "set": { "field": "ingest.timestamp", "value": "{{ @timestamp }}" } },
{ "date": { "if": "ctx.syslog?.timestamp != null", "field": "syslog.timestamp", "target_field": "@timestamp", "formats": ["MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601", "UNIX"], "ignore_failure": true } },
{ "remove": { "field": ["pid", "program"], "ignore_missing": true, "ignore_failure": true } },
{ "pipeline": { "if": "ctx.vendor != null && ctx.product != null", "name": "{{ vendor }}.{{ product }}", "ignore_failure": true } },
{ "pipeline": { "if": "ctx.dataset == 'firewall'", "name": "filterlog", "ignore_failure": true } },
{ "pipeline": { "name": "common" } }
"source": "if (ctx['syslog'] != null && ctx['syslog']['priority'] != null) { int p = ctx['syslog']['priority']; int f = p / 8; int l = p - (f * 8); ctx['syslog']['facility'] = [ : ]; ctx['syslog']['level'] = [ : ]; ctx['syslog']['level'].put('code', l); ctx['syslog']['level'].put('name', params.level[l]); ctx['syslog']['facility'].put('code', f); ctx['syslog']['facility'].put('name', params.facility[f]); }"
}
}, {
"set": {
"if": "ctx.syslog?.host != null",
"field": "host.name",
"value": "{{ syslog.host }}",
"ignore_failure": true
}
}, {
"set": {
"if": "ctx.syslog?.program != null",
"field": "process.name",
"value": "{{ syslog.program }}",
"ignore_failure": true
}
}, {
"set": {
"if": "ctx.syslog?.pid != null",
"field": "process.id",
"value": "{{ syslog.pid }}",
"ignore_failure": true
}
}, {
"set": {
"if": "ctx.source?.application == 'filterlog'",
"field": "dataset",
"value": "firewall",
"ignore_failure": true
}
}, {
"set": {
"if": "ctx.vendor != null",
"field": "module",
"value": "{{ vendor }}",
"ignore_failure": true
}
}, {
"set": {
"if": "ctx.product != null",
"field": "dataset",
"value": "{{ product }}",
"ignore_failure": true
}
}, {
"set": {
"field": "ingest.timestamp",
"value": "{{ @timestamp }}"
}
}, {
"date": {
"if": "ctx.syslog?.timestamp != null",
"field": "syslog.timestamp",
"target_field": "@timestamp",
"formats": ["MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601", "UNIX"],
"ignore_failure": true
}
}, {
"remove": {
"field": ["pid", "program"],
"ignore_missing": true,
"ignore_failure": true
}
}, {
"pipeline": {
"if": "ctx.vendor != null && ctx.product != null",
"name": "{{ vendor }}.{{ product }}",
"ignore_failure": true
}
}, {
"pipeline": {
"if": "ctx.dataset == 'firewall'",
"name": "filterlog",
"ignore_failure": true
}
}, {
"pipeline": { "name": "common" }
}
]
}

1
salt/elasticsearch/files/ingest/zeek.dns
View File

@@ -23,6 +23,7 @@
{ "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } },
{ "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } },
{ "set": { "field": "_index", "value": "so-zeek_dns", "override": true } },
{ "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } },
{ "pipeline": { "name": "zeek.common" } }
]

42
salt/elasticsearch/templates/component/ecs/agent.json
View File

@@ -12,29 +12,59 @@
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

581
salt/elasticsearch/templates/component/ecs/aws.json
View File

@@ -22,7 +22,12 @@
},
"api_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"console_login": {
"properties": {
@@ -30,7 +35,12 @@
"properties": {
"login_to": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mfa_used": {
"type": "boolean"
@@ -58,27 +68,57 @@
},
"previous_hash_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"previous_s3_bucket": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"public_key_fingerprint": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"s3_bucket": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"s3_object": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"start_time": {
"type": "date"
@@ -87,23 +127,48 @@
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"error_message": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"flattened": {
"properties": {
@@ -126,19 +191,39 @@
},
"management_event": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"read_only": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"recipient_account_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"request_parameters": {
"fields": {
@@ -154,15 +239,30 @@
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -188,21 +288,41 @@
},
"shared_event_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"user_identity": {
"properties": {
"access_key_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"invoked_by": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"session_context": {
"properties": {
@@ -211,25 +331,50 @@
},
"mfa_authenticated": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"session_issuer": {
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"principal_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -237,13 +382,23 @@
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"vpc_endpoint_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -259,7 +414,12 @@
"properties": {
"ip_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -267,7 +427,12 @@
"properties": {
"action_executed": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"backend": {
"properties": {
@@ -277,7 +442,12 @@
"properties": {
"status_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -285,11 +455,21 @@
},
"ip": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"port": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -304,21 +484,41 @@
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"classification_reason": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"connection_time": {
"properties": {
@@ -331,33 +531,68 @@
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"incoming_tls_alert": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"listener": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"matched_rule_priority": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"redirect_url": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"request_processing_time": {
"properties": {
@@ -375,27 +610,52 @@
},
"ssl_cipher": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ssl_protocol": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"target_group": {
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"target_port": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"target_status_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tls_handshake_time": {
"properties": {
@@ -406,15 +666,30 @@
},
"tls_named_group": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"trace_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -422,75 +697,150 @@
"properties": {
"authentication_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"bucket": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"bucket_owner": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"bytes_sent": {
"type": "long"
},
"cipher_suite": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"host_header": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"host_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"http_status": {
"type": "long"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"object_size": {
"type": "long"
},
"operation": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"remote_ip": {
"type": "ip"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"requester": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"signature_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tls_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"total_time": {
"type": "long"
@@ -500,11 +850,21 @@
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -512,23 +872,48 @@
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"action": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"instance_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"interface_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"log_status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pkt_dstaddr": {
"type": "ip"
@@ -538,27 +923,57 @@
},
"subnet_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tcp_flags_array": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"vpc_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

798
salt/elasticsearch/templates/component/ecs/azure.json
View File

File diff suppressed because it is too large Load Diff

7
salt/elasticsearch/templates/component/ecs/base.json
View File

@@ -17,7 +17,12 @@
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

1036
salt/elasticsearch/templates/component/ecs/cef.json
View File

File diff suppressed because it is too large Load Diff

2331
salt/elasticsearch/templates/component/ecs/checkpoint.json
View File

File diff suppressed because it is too large Load Diff

707
salt/elasticsearch/templates/component/ecs/cisco.json
View File

File diff suppressed because it is too large Load Diff

168
salt/elasticsearch/templates/component/ecs/client.json
View File

@@ -10,7 +10,12 @@
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"as": {
"properties": {
@@ -37,52 +42,107 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -91,7 +151,12 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"nat": {
"properties": {
@@ -111,25 +176,50 @@
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -144,25 +234,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -175,7 +290,12 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

77
salt/elasticsearch/templates/component/ecs/cloud.json
View File

@@ -12,27 +12,52 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"instance": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -40,7 +65,12 @@
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -48,27 +78,52 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

35
salt/elasticsearch/templates/component/ecs/container.json
View File

@@ -10,17 +10,32 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -29,11 +44,21 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"runtime": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

434
salt/elasticsearch/templates/component/ecs/cyberark.json
View File

@@ -12,241 +12,511 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ca_properties": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cpm_disabled": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cpm_error_details": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cpm_status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"creation_method": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"customer": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"database": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"device_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"dual_account_status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"in_process": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"index": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"last_fail_date": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"last_success_change": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"last_success_reconciliation": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"last_success_verification": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"last_task": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"logon_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"other": {
"type": "flattened"
},
"policy_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"port": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"privcloud": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reset_immediately": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"retries_count": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sequence_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"user_dn": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"virtual_username": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"desc": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"extra_details": {
"properties": {
"ad_process_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ad_process_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"command": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"connection_component_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"dst_host": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"logon_account": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"managed_account": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"other": {
"type": "flattened"
},
"process_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"process_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"psmid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"session_duration": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"src_host": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"username": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"file": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"gateway_station": {
"type": "ip"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"iso_timestamp": {
"type": "date"
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"location": {
"doc_values": false,
"ignore_above": 4096,
"index": false,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"message": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pvwa_details": {
"type": "flattened"
@@ -255,7 +525,12 @@
"doc_values": false,
"ignore_above": 4096,
"index": false,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reason": {
"norms": false,
@@ -266,34 +541,69 @@
},
"safe": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"source_user": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"station": {
"type": "ip"
},
"target_user": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

168
salt/elasticsearch/templates/component/ecs/destination.json
View File

@@ -10,7 +10,12 @@
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"as": {
"properties": {
@@ -37,52 +42,107 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -91,7 +151,12 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"nat": {
"properties": {
@@ -111,25 +176,50 @@
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -144,25 +234,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -175,7 +290,12 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

133
salt/elasticsearch/templates/component/ecs/dll.json
View File

@@ -12,26 +12,51 @@
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timestamp": {
"type": "date"
@@ -48,63 +73,133 @@
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"path": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"company": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

105
salt/elasticsearch/templates/component/ecs/dns.json
View File

@@ -12,63 +12,128 @@
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"data": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ttl": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
},
"type": "object"
},
"header_flags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"op_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"question": {
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -77,11 +142,21 @@
},
"response_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

7
salt/elasticsearch/templates/component/ecs/ecs.json
View File

@@ -10,7 +10,12 @@
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

7
salt/elasticsearch/templates/component/ecs/elasticsearch.json
View File

@@ -17,7 +17,12 @@
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

21
salt/elasticsearch/templates/component/ecs/error.json
View File

@@ -10,11 +10,21 @@
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"message": {
"type": "match_only_text"
@@ -29,7 +39,12 @@
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

119
salt/elasticsearch/templates/component/ecs/event.json
View File

@@ -10,26 +10,51 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"created": {
"type": "date"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"duration": {
"type": "long"
@@ -39,43 +64,88 @@
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ingested": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"module": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"risk_score": {
"type": "float"
@@ -94,15 +164,30 @@
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"url": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

490
salt/elasticsearch/templates/component/ecs/file.json
View File

@@ -13,32 +13,62 @@
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timestamp": {
"type": "date"
@@ -59,29 +89,59 @@
},
"device": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"creation_date": {
"type": "date"
@@ -93,34 +153,69 @@
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"class": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"data": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -137,22 +232,42 @@
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"virtual_address": {
"type": "long"
@@ -167,87 +282,177 @@
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"group": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mtime": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"path": {
"fields": {
@@ -262,31 +467,66 @@
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"company": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -304,47 +544,97 @@
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -356,11 +646,21 @@
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"public_key_exponent": {
"doc_values": false,
@@ -372,47 +672,97 @@
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

2121
salt/elasticsearch/templates/component/ecs/fortinet.json
View File

File diff suppressed because it is too large Load Diff

287
salt/elasticsearch/templates/component/ecs/gcp.json
View File

@@ -14,17 +14,32 @@
"properties": {
"authority_selector": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"principal_email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"method_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"num_response_items": {
"type": "long"
@@ -33,19 +48,39 @@
"properties": {
"filter": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -56,7 +91,12 @@
},
"caller_supplied_user_agent": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -64,13 +104,23 @@
"properties": {
"current_locations": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"response": {
"properties": {
@@ -78,35 +128,70 @@
"properties": {
"group": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"properties": {
@@ -115,13 +200,23 @@
},
"message": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -131,15 +226,30 @@
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -147,15 +257,30 @@
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -167,42 +292,87 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"destination_range": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"priority": {
"type": "long"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"source_range": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"source_service_account": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"source_tag": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"target_service_account": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"target_tag": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -214,15 +384,30 @@
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -230,15 +415,30 @@
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -248,7 +448,12 @@
"properties": {
"reporter": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"rtt": {
"properties": {

840
salt/elasticsearch/templates/component/ecs/google_workspace.json
View File

File diff suppressed because it is too large Load Diff

21
salt/elasticsearch/templates/component/ecs/group.json
View File

@@ -10,15 +10,30 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

210
salt/elasticsearch/templates/component/ecs/host.json
View File

@@ -10,7 +10,12 @@
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cpu": {
"properties": {
@@ -40,73 +45,148 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"network": {
"properties": {
@@ -136,7 +216,12 @@
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full": {
"fields": {
@@ -149,7 +234,12 @@
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -162,21 +252,41 @@
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uptime": {
"type": "long"
@@ -185,11 +295,21 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -204,25 +324,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -235,7 +380,12 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

42
salt/elasticsearch/templates/component/ecs/http.json
View File

@@ -30,19 +30,39 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"method": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -68,7 +88,12 @@
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status_code": {
"type": "long"
@@ -77,7 +102,12 @@
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

490
salt/elasticsearch/templates/component/ecs/juniper.json
View File

@@ -12,47 +12,102 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"action_detail": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"alert": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"apbr_rule_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_characteristics": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_sub_category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"attack_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"client_ip": {
"type": "ip"
@@ -62,85 +117,165 @@
},
"connection_tag": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"context_hit_rate": {
"type": "long"
},
"context_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"context_value": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"context_value_hit_rate": {
"type": "long"
},
"ddos_application_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"dscp_value": {
"type": "long"
},
"dst_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"dst_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"dst_vrf_grp": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"elapsed_time": {
"type": "date"
},
"encrypted": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"epoch_time": {
"type": "date"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"error_message": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"export_id": {
"type": "long"
},
"feed_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"file_category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"file_hash_lookup": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"file_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"icmp_type": {
"type": "long"
@@ -153,39 +288,84 @@
},
"index": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"logical_system_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"malware_info": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"message": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"message_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"nat_connection_tag": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"nested_application": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"obj": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"occur_count": {
"type": "long"
@@ -207,7 +387,12 @@
},
"peer_session_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"peer_source_address": {
"type": "ip"
@@ -217,118 +402,258 @@
},
"policy_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"process": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"profile": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"profile_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"protocol_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"protocol_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"repeat_count": {
"type": "long"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"routing_instance": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ruleebase_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sample_sha256": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"secure_web_proxy_session_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"session_id_32": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"src_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"src_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"src_vrf_grp": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sub_category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"temporary_filename": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"th": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"threat_severity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"time_count": {
"type": "long"
@@ -338,14 +663,24 @@
},
"time_scope": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timestamp": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uplink_rx_bytes": {
"type": "long"
@@ -355,18 +690,33 @@
},
"url": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"username": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"verdict_number": {
"type": "long"
},
"verdict_source": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

84
salt/elasticsearch/templates/component/ecs/kibana.json
View File

@@ -10,23 +10,48 @@
"properties": {
"add_to_spaces": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"authentication_realm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"authentication_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"delete_from_spaces": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"log": {
"properties": {
@@ -35,37 +60,72 @@
},
"state": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"lookup_realm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"saved_object": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"space_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

56
salt/elasticsearch/templates/component/ecs/log.json
View File

@@ -12,17 +12,32 @@
"properties": {
"path": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"level": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"logger": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"origin": {
"properties": {
@@ -33,20 +48,35 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"function": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"syslog": {
"properties": {
@@ -57,7 +87,12 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -71,7 +106,12 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

42
salt/elasticsearch/templates/component/ecs/logstash.json
View File

@@ -14,18 +14,33 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
},
"type": "object"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pipeline_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"thread": {
"fields": {
@@ -53,11 +68,21 @@
},
"module": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"plugin_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"plugin_params": {
"fields": {
@@ -74,7 +99,12 @@
},
"plugin_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"thread": {
"fields": {

364
salt/elasticsearch/templates/component/ecs/microsoft.json
View File

@@ -12,72 +12,142 @@
"properties": {
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"evidence": {
"properties": {
"aadUserId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"accountName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"domainName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"entityType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ipAddress": {
"type": "ip"
},
"userPrincipalName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"lastUpdateTime": {
"type": "date"
},
"rbacGroupName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"resolvedTime": {
"type": "date"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -87,26 +157,51 @@
"properties": {
"actorName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"creationTime": {
"type": "date"
},
"detectionSource": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"devices": {
"type": "flattened"
@@ -115,145 +210,310 @@
"properties": {
"accountName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"clusterBy": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"deliveryAction": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"deviceId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"entityType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ipAddress": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mailboxAddress": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mailboxDisplayName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"recipient": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"registryHive": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"registryKey": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"registryValueType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"securityGroupId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"securityGroupName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sender": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"lastUpdatedTime": {
"type": "date"
},
"mitreTechniques": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"resolvedTime": {
"type": "date"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"userSid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"incidentName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"redirectIncidentId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

357
salt/elasticsearch/templates/component/ecs/misp.json
View File

@@ -16,15 +16,30 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -43,18 +58,33 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"last_seen": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"objective": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -66,11 +96,21 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -86,23 +126,48 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"identity_class": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sectors": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -125,14 +190,24 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"last_seen": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"primary_motivation": {
"norms": false,
@@ -156,19 +231,39 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -176,7 +271,12 @@
"properties": {
"authors": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"norms": false,
@@ -184,15 +284,30 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"object_refs": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"summary": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -203,7 +318,12 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"last_observed": {
"type": "date"
@@ -213,7 +333,12 @@
},
"objects": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -225,15 +350,30 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"object_refs": {
"norms": false,
@@ -260,15 +400,30 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"personal_motivations": {
"norms": false,
@@ -300,19 +455,39 @@
"properties": {
"attack_pattern": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"attack_pattern_kql": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"campaign": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"norms": false,
@@ -324,42 +499,87 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"intrusion_set": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mitre_tactic": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mitre_technique": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"negate": {
"type": "boolean"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"threat_actor": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"valid_from": {
"type": "date"
@@ -369,7 +589,12 @@
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -381,7 +606,12 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"kill_chain_phases": {
"norms": false,
@@ -389,15 +619,30 @@
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tool_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -409,11 +654,21 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

329
salt/elasticsearch/templates/component/ecs/netflow.json
View File

@@ -34,26 +34,51 @@
},
"application_category_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_group_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_id": {
"type": "short"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"application_sub_category_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"bgp_destination_as_number": {
"type": "long"
@@ -84,7 +109,12 @@
},
"class_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"classification_engine_id": {
"type": "short"
@@ -151,7 +181,12 @@
},
"destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"destination_transport_port": {
"type": "long"
@@ -182,14 +217,24 @@
},
"dot1q_customer_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"dot1q_customer_priority": {
"type": "short"
},
"dot1q_customer_source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"dot1q_customer_vlan_id": {
"type": "long"
@@ -253,7 +298,12 @@
},
"encrypted_technology": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"engine_id": {
"type": "short"
@@ -298,7 +348,12 @@
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"source_id": {
"type": "long"
@@ -466,34 +521,69 @@
},
"http_content_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"http_message_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"http_reason_phrase": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"http_request_host": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"http_request_method": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"http_request_target": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"http_status_code": {
"type": "long"
},
"http_user_agent": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"icmp_code_ipv4": {
"type": "short"
@@ -536,7 +626,12 @@
},
"information_element_description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"information_element_id": {
"type": "long"
@@ -546,7 +641,12 @@
},
"information_element_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"information_element_range_begin": {
"type": "long"
@@ -589,11 +689,21 @@
},
"interface_description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"interface_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"intermediate_process_id": {
"type": "long"
@@ -741,7 +851,12 @@
},
"metro_evc_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"metro_evc_type": {
"type": "short"
@@ -754,29 +869,54 @@
},
"mib_context_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mib_index_indicator": {
"type": "long"
},
"mib_module_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mib_object_description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mib_object_identifier": {
"type": "short"
},
"mib_object_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mib_object_syntax": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mib_object_value_bits": {
"type": "short"
@@ -834,11 +974,21 @@
},
"mobile_imsi": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mobile_msisdn": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"monitoring_interval_end_milli_seconds": {
"type": "date"
@@ -929,7 +1079,12 @@
},
"nat_pool_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"nat_quota_exceeded_event": {
"type": "long"
@@ -963,7 +1118,12 @@
},
"observation_domain_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"observation_point_id": {
"type": "long"
@@ -1021,7 +1181,12 @@
},
"p2p_technology": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"packet_delta_count": {
"type": "long"
@@ -1052,7 +1217,12 @@
},
"post_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"post_dot1q_customer_vlan_id": {
"type": "long"
@@ -1128,7 +1298,12 @@
},
"post_source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"post_vlan_id": {
"type": "long"
@@ -1180,7 +1355,12 @@
},
"sampler_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sampler_random_interval": {
"type": "long"
@@ -1247,7 +1427,12 @@
},
"selector_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"session_scope": {
"type": "short"
@@ -1272,7 +1457,12 @@
},
"source_mac_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"source_transport_port": {
"type": "long"
@@ -1288,7 +1478,12 @@
},
"sta_mac_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"system_init_time_milliseconds": {
"type": "date"
@@ -1355,11 +1550,21 @@
},
"tunnel_technology": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"udp_destination_port": {
"type": "long"
@@ -1375,7 +1580,12 @@
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"value_distribution_method": {
"type": "short"
@@ -1385,11 +1595,21 @@
},
"virtual_station_interface_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"virtual_station_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"virtual_station_uuid": {
"type": "short"
@@ -1402,18 +1622,33 @@
},
"vr_fname": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"wlan_channel_id": {
"type": "short"
},
"wlan_ssid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"wtp_mac_address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

84
salt/elasticsearch/templates/component/ecs/network.json
View File

@@ -10,25 +10,45 @@
"properties": {
"application": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"bytes": {
"type": "long"
},
"community_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"forwarded_ip": {
"type": "ip"
},
"iana_number": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"inner": {
"properties": {
@@ -36,11 +56,21 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -49,32 +79,62 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"packets": {
"type": "long"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"transport": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

602
salt/elasticsearch/templates/component/ecs/o365.json
View File

@@ -12,71 +12,156 @@
"properties": {
"AADGroupId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ActorContextId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ActorIpAddress": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ActorUserId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ActorYammerUserId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"AlertEntityId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"AlertId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"AlertType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"AppId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ApplicationDisplayName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ApplicationId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"AzureActiveDirectoryEventType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ClientAppId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ClientIP": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ClientIPAddress": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ClientInfoString": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Comments": {
"norms": false,
@@ -84,46 +169,96 @@
},
"CommunicationType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"CorrelationId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"CreationTime": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"CustomUniqueId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Data": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"DataType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"DoNotDistributeEvent": {
"type": "boolean"
},
"EntityType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ErrorNumber": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"EventData": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"EventSource": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ExceptionInfo": {
"properties": {
@@ -148,38 +283,78 @@
},
"ExternalAccess": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"FromApp": {
"type": "boolean"
},
"GroupName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ImplicitShare": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"IncidentId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"InterSystemsId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"InternalLogonType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"IntraSystemId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"IsDocLib": {
"type": "boolean"
@@ -201,67 +376,147 @@
},
"ItemName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ItemType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ListBaseTemplateType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ListBaseType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ListColor": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ListIcon": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ListId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ListItemUniqueId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ListTitle": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"LogonError": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"LogonUserSid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"MailboxGuid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"MailboxOwnerMasterAccountSid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"MailboxOwnerSid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"MailboxOwnerUPN": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Members": {
"properties": {
@@ -283,27 +538,57 @@
},
"Name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ObjectId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Operation": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"OrganizationId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"OrganizationName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"OriginatingServer": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Parameters": {
"properties": {
@@ -314,27 +599,57 @@
},
"PolicyId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"RecordType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ResultStatus": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"SensitiveInfoDetectionIsIncluded": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"SessionId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Severity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"SharePointMetaData": {
"properties": {
@@ -345,95 +660,210 @@
},
"Site": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"SiteUrl": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Source": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"SourceFileExtension": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"SourceFileName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"SourceRelativeUrl": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"SupportTicketId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"TargetContextId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"TargetUserOrGroupName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"TargetUserOrGroupType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"TeamGuid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"TeamName": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"TemplateTypeId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"UniqueSharingId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"UserAgent": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"UserId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"UserKey": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"UserType": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"WebId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"Workload": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"YammerNetworkId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

245
salt/elasticsearch/templates/component/ecs/observer.json
View File

@@ -14,15 +14,30 @@
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -30,17 +45,32 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
},
"type": "object"
@@ -49,52 +79,107 @@
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ingress": {
"properties": {
@@ -102,15 +187,30 @@
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -118,17 +218,32 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
},
"type": "object"
@@ -138,17 +253,32 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full": {
"fields": {
@@ -161,7 +291,12 @@
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -174,37 +309,77 @@
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

322
salt/elasticsearch/templates/component/ecs/okta.json
View File

@@ -12,19 +12,39 @@
"properties": {
"alternate_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"display_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -32,26 +52,51 @@
"properties": {
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"authentication_step": {
"type": "long"
},
"credential_provider": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"credential_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"external_session_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -59,11 +104,21 @@
"properties": {
"device": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ip": {
"type": "ip"
@@ -72,21 +127,41 @@
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"os": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"raw_user_agent": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -96,33 +171,68 @@
"properties": {
"device_fingerprint": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"suspicious_activity": {
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_city": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_country": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_ip": {
"type": "ip"
@@ -135,19 +245,39 @@
},
"event_state": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_transaction_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"os": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timestamp": {
"type": "date"
@@ -156,11 +286,21 @@
},
"threat_suspected": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"url": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -168,21 +308,41 @@
},
"display_message": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"outcome": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"result": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -194,22 +354,42 @@
"properties": {
"city": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"geolocation": {
"type": "geo_point"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -218,11 +398,21 @@
},
"source": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -239,7 +429,12 @@
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -247,20 +442,35 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"is_proxy": {
"type": "boolean"
},
"isp": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"target": {
"type": "flattened"
@@ -269,21 +479,41 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

63
salt/elasticsearch/templates/component/ecs/orchestrator.json
View File

@@ -10,47 +10,92 @@
"properties": {
"api_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cluster": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"url": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"resource": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

7
salt/elasticsearch/templates/component/ecs/organization.json
View File

@@ -10,7 +10,12 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {

77
salt/elasticsearch/templates/component/ecs/package.json
View File

@@ -10,53 +10,108 @@
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"build_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"checksum": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"install_scope": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"installed": {
"type": "date"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"path": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

532
salt/elasticsearch/templates/component/ecs/process.json
View File

@@ -10,7 +10,12 @@
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"args_count": {
"type": "long"
@@ -19,26 +24,51 @@
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timestamp": {
"type": "date"
@@ -63,15 +93,30 @@
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"creation_date": {
"type": "date"
@@ -83,34 +128,69 @@
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"class": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"data": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -127,22 +207,42 @@
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"virtual_address": {
"type": "long"
@@ -157,22 +257,42 @@
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -181,7 +301,12 @@
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"executable": {
"fields": {
@@ -199,23 +324,48 @@
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -232,7 +382,12 @@
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"args_count": {
"type": "long"
@@ -241,26 +396,51 @@
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timestamp": {
"type": "date"
@@ -285,15 +465,30 @@
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"creation_date": {
"type": "date"
@@ -305,34 +500,69 @@
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"class": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"data": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -349,22 +579,42 @@
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"virtual_address": {
"type": "long"
@@ -379,22 +629,42 @@
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -403,7 +673,12 @@
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"executable": {
"fields": {
@@ -421,23 +696,48 @@
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -454,31 +754,66 @@
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"company": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -501,7 +836,12 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -532,31 +872,66 @@
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"company": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -579,7 +954,12 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},

28
salt/elasticsearch/templates/component/ecs/redis.json
View File

@@ -12,7 +12,12 @@
"properties": {
"role": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -20,11 +25,21 @@
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"duration": {
"properties": {
@@ -38,7 +53,12 @@
},
"key": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

42
salt/elasticsearch/templates/component/ecs/registry.json
View File

@@ -12,32 +12,62 @@
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"key": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"path": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"value": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

21
salt/elasticsearch/templates/component/ecs/related.json
View File

@@ -10,18 +10,33 @@
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"hosts": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

70
salt/elasticsearch/templates/component/ecs/rule.json
View File

@@ -10,43 +10,93 @@
"properties": {
"author": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"license": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ruleset": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

168
salt/elasticsearch/templates/component/ecs/server.json
View File

@@ -10,7 +10,12 @@
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"as": {
"properties": {
@@ -37,52 +42,107 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -91,7 +151,12 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"nat": {
"properties": {
@@ -111,25 +176,50 @@
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -144,25 +234,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -175,7 +290,12 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

63
salt/elasticsearch/templates/component/ecs/service.json
View File

@@ -10,43 +10,88 @@
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"environment": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"node": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

126
salt/elasticsearch/templates/component/ecs/snyk.json
View File

@@ -15,11 +15,21 @@
},
"org_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"project_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -30,7 +40,12 @@
"properties": {
"projects": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -38,32 +53,62 @@
"properties": {
"credit": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cvss3": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"disclosure_time": {
"type": "date"
},
"exploit_maturity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"identifiers": {
"properties": {
"alternative": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cwe": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -90,22 +135,42 @@
},
"jira_issue_url": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"language": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"original_severity": {
"type": "long"
},
"package": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"package_manager": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"patches": {
"type": "flattened"
@@ -118,26 +183,51 @@
},
"reachability": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"semver": {
"type": "flattened"
},
"title": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"unique_severities_list": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

966
salt/elasticsearch/templates/component/ecs/sophos.json
View File

File diff suppressed because it is too large Load Diff

168
salt/elasticsearch/templates/component/ecs/source.json
View File

@@ -10,7 +10,12 @@
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"as": {
"properties": {
@@ -37,52 +42,107 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -91,7 +151,12 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"nat": {
"properties": {
@@ -111,25 +176,50 @@
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -144,25 +234,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -175,7 +290,12 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

476
salt/elasticsearch/templates/component/ecs/suricata.json
View File

@@ -14,118 +14,243 @@
"properties": {
"affected_product": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"attack_target": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"capec_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"classtype": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"created_at": {
"type": "date"
},
"cve": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cvss_v2_base": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cvss_v2_temporal": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cvss_v3_base": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cvss_v3_temporal": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"cwe_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"deployment": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"former_category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"gid": {
"type": "long"
},
"hostile": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"infected": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"malware": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"metadata": {
"type": "flattened"
},
"mitre_tool_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"performance_impact": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"protocols": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"rev": {
"type": "long"
},
"rule_source": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sid": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"signature_id": {
"type": "long"
},
"signature_severity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"updated_at": {
"type": "date"
@@ -134,19 +259,39 @@
},
"app_proto_expected": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"app_proto_orig": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"app_proto_tc": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"app_proto_ts": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"dns": {
"properties": {
@@ -155,19 +300,39 @@
},
"rcode": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"rdata": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"rrname": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"rrtype": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ttl": {
"type": "long"
@@ -177,7 +342,12 @@
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -185,13 +355,23 @@
"properties": {
"status": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"fileinfo": {
"properties": {
@@ -200,19 +380,39 @@
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"stored": {
"type": "boolean"
@@ -232,31 +432,61 @@
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"flow_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"http": {
"properties": {
"http_content_type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"redirect": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -268,7 +498,12 @@
},
"in_iface": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"pcap_cnt": {
"type": "long"
@@ -277,15 +512,30 @@
"properties": {
"helo": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"mail_from": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"rcpt_to": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -295,11 +545,21 @@
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"software_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -307,11 +567,21 @@
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"software_version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -757,22 +1027,42 @@
},
"state": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"syn": {
"type": "boolean"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tcp_flags_tc": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tcp_flags_ts": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -780,21 +1070,41 @@
"properties": {
"fingerprint": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"issuerdn": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ja3": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"string": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -802,11 +1112,21 @@
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"string": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -818,22 +1138,42 @@
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"session_resumed": {
"type": "boolean"
},
"sni": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},

14
salt/elasticsearch/templates/component/ecs/syslog.json
View File

@@ -13,14 +13,24 @@
},
"facility_label": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"priority": {
"type": "long"
},
"severity_label": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

1883
salt/elasticsearch/templates/component/ecs/threat.json
View File

File diff suppressed because it is too large Load Diff

441
salt/elasticsearch/templates/component/ecs/tls.json
View File

@@ -10,41 +10,81 @@
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"client": {
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ja3": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"not_after": {
"type": "date"
@@ -54,51 +94,106 @@
},
"server_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"supported_ciphers": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -110,11 +205,21 @@
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"public_key_exponent": {
"doc_values": false,
@@ -126,47 +231,97 @@
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -174,14 +329,24 @@
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"established": {
"type": "boolean"
},
"next_protocol": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"resumed": {
"type": "boolean"
@@ -190,35 +355,70 @@
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"ja3s": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"not_after": {
"type": "date"
@@ -228,43 +428,88 @@
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -276,11 +521,21 @@
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"public_key_exponent": {
"doc_values": false,
@@ -292,47 +547,97 @@
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"country": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
@@ -340,11 +645,21 @@
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version_protocol": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

21
salt/elasticsearch/templates/component/ecs/tracing.json
View File

@@ -10,7 +10,12 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -18,7 +23,12 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -26,7 +36,12 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

70
salt/elasticsearch/templates/component/ecs/url.json
View File

@@ -10,15 +10,30 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full": {
"fields": {
@@ -38,7 +53,12 @@
},
"password": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"path": {
"type": "wildcard"
@@ -48,27 +68,57 @@
},
"query": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"username": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

224
salt/elasticsearch/templates/component/ecs/user.json
View File

@@ -12,11 +12,21 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -31,25 +41,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -62,23 +97,43 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"effective": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -93,25 +148,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -124,13 +204,23 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -145,25 +235,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -176,17 +291,32 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"target": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full_name": {
"fields": {
@@ -201,25 +331,50 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -232,7 +387,12 @@
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

56
salt/elasticsearch/templates/component/ecs/user_agent.json
View File

@@ -12,13 +12,23 @@
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"original": {
"fields": {
@@ -33,7 +43,12 @@
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"full": {
"fields": {
@@ -46,7 +61,12 @@
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"name": {
"fields": {
@@ -59,21 +79,41 @@
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

63
salt/elasticsearch/templates/component/ecs/vulnerability.json
View File

@@ -10,11 +10,21 @@
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"fields": {
@@ -27,25 +37,50 @@
},
"enumeration": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"report_id": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"scanner": {
"properties": {
"vendor": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -62,13 +97,23 @@
},
"version": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}

938
salt/elasticsearch/templates/component/ecs/winlog.json
View File

File diff suppressed because it is too large Load Diff

2135
salt/elasticsearch/templates/component/ecs/zeek.json
View File

File diff suppressed because it is too large Load Diff

99
salt/elasticsearch/templates/component/so/common-dynamic-mappings.json
View File

@@ -1,56 +1,55 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"ip_address": {
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields": {
"keyword": {
"ignore_above": 45,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields": {
"keyword": {
"ignore_above": 6,
"type": "keyword"
}
}
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
"template": {
"mappings": {
"dynamic_templates": [
{
"ip_address": {
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields": {
"keyword": {
"ignore_above": 45,
"type": "keyword"
}
}
]
},
"match_mapping_type": "string"
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields": {
"keyword": {
"ignore_above": 6,
"type": "keyword"
}
}
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
]
}
}
}

15
salt/elasticsearch/templates/component/so/dtc-agent-mappings.json
View File

@@ -12,6 +12,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -21,6 +24,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -30,6 +36,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -39,6 +48,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -48,6 +60,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

6
salt/elasticsearch/templates/component/so/dtc-base-mappings.json
View File

@@ -9,6 +9,9 @@
"message": {
"type": "match_only_text",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -18,6 +21,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

5
salt/elasticsearch/templates/component/so/dtc-dns-mappings.json
View File

@@ -14,7 +14,10 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
}

3
salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json
View File

@@ -12,6 +12,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

30
salt/elasticsearch/templates/component/so/dtc-event-mappings.json
View File

@@ -12,6 +12,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -20,6 +23,9 @@
"created": {
"type": "date",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -29,14 +35,20 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
"type": "keyword"
}
}
},
"ingested": {
"type": "date",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -45,7 +57,10 @@
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -55,6 +70,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -64,6 +82,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -73,6 +94,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

6
salt/elasticsearch/templates/component/so/dtc-file-mappings.json
View File

@@ -12,6 +12,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -21,6 +24,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

8
salt/elasticsearch/templates/component/so/dtc-host-mappings.json
View File

@@ -12,15 +12,21 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
}
},
"mac": {
"mac": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

6
salt/elasticsearch/templates/component/so/dtc-http-mappings.json
View File

@@ -14,6 +14,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -23,6 +26,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

16
salt/elasticsearch/templates/component/so/dtc-network-mappings.json
View File

@@ -12,6 +12,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -20,11 +23,14 @@
"transport": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
}
}
}
}

5
salt/elasticsearch/templates/component/so/dtc-observer-mappings.json
View File

@@ -11,7 +11,10 @@
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

2
salt/elasticsearch/templates/component/so/dtc-process-mappings.json
View File

@@ -20,7 +20,7 @@
"type": "wildcard"
}
}
}
}
}
}
}

18
salt/elasticsearch/templates/component/so/dtc-rule-mappings.json
View File

@@ -11,16 +11,22 @@
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

6
salt/elasticsearch/templates/component/so/dtc-service-mappings.json
View File

@@ -12,6 +12,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
@@ -21,6 +24,9 @@
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}

4
salt/elasticsearch/templates/component/so/dtc-user-mappings.json
View File

@@ -14,8 +14,8 @@
"type": "match_only_text"
},
"keyword": {
"type": "keyword"
}
"type": "keyword"
}
},
"ignore_above": 1024,
"type": "keyword"

2
salt/firewall/map.jinja
View File

@@ -37,7 +37,7 @@
{% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
{% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
{% if local_assigned_hostgroups.role[role] %}
{% if local_assigned_hostgroups.role.get(role, False) %}
{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=False, in_place=False) %}
{% else %}
{% set assigned_hostgroups = default_assigned_hostgroups.role[role] %}

3
salt/idh/openssh/config.sls
View File

@@ -4,9 +4,8 @@ include:
- idh.openssh
{% if grains.os_family == 'RedHat' %}
sshd_selinux:
idh_sshd_selinux:
selinux.port_policy_present:
- name: tcp/{{ openssh_map.config.port }}
- port: {{ openssh_map.config.port }}
- protocol: tcp
- sel_type: ssh_port_t

9
setup/so-functions
View File

@@ -1837,6 +1837,15 @@ manager_global() {
" warm: 7"\
" close: 30"\
" delete: 365"\
" so-endgame:"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" number_of_shards: 1"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" so-firewall:"\
" index_template:"\
" template:"\