CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 02:02:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add additional component templates and index template references

Browse Source
This commit is contained in:
Wes Lambert
2022-02-08 03:03:55 +00:00
parent b41c5439c6
commit 5090854d4d
36 changed files with 9903 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

570
salt/elasticsearch/templates/component/ecs/aws.json Normal file
View File

@@ -0,0 +1,570 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"aws": {
"properties": {
"cloudtrail": {
"properties": {
"additional_eventdata": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"api_version": {
"ignore_above": 1024,
"type": "keyword"
},
"console_login": {
"properties": {
"additional_eventdata": {
"properties": {
"login_to": {
"ignore_above": 1024,
"type": "keyword"
},
"mfa_used": {
"type": "boolean"
},
"mobile_version": {
"type": "boolean"
}
}
}
}
},
"digest": {
"properties": {
"end_time": {
"type": "date"
},
"log_files": {
"type": "nested"
},
"newest_event_time": {
"type": "date"
},
"oldest_event_time": {
"type": "date"
},
"previous_hash_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"previous_s3_bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"s3_bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"s3_object": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
}
}
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"error_message": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"event_version": {
"ignore_above": 1024,
"type": "keyword"
},
"flattened": {
"properties": {
"additional_eventdata": {
"type": "flattened"
},
"request_parameters": {
"type": "flattened"
},
"response_elements": {
"type": "flattened"
},
"service_event_details": {
"type": "flattened"
}
}
},
"insight_details": {
"type": "flattened"
},
"management_event": {
"ignore_above": 1024,
"type": "keyword"
},
"read_only": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient_account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_parameters": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"resources": {
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response_elements": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"service_event_details": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"shared_event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_identity": {
"properties": {
"access_key_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"invoked_by": {
"ignore_above": 1024,
"type": "keyword"
},
"session_context": {
"properties": {
"creation_date": {
"type": "date"
},
"mfa_authenticated": {
"ignore_above": 1024,
"type": "keyword"
},
"session_issuer": {
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc_endpoint_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cloudwatch": {
"properties": {
"message": {
"norms": false,
"type": "text"
}
}
},
"ec2": {
"properties": {
"ip_address": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"elb": {
"properties": {
"action_executed": {
"ignore_above": 1024,
"type": "keyword"
},
"backend": {
"properties": {
"http": {
"properties": {
"response": {
"properties": {
"status_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ip": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"backend_processing_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"chosen_cert": {
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"classification_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_time": {
"properties": {
"ms": {
"type": "long"
}
}
},
"error": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incoming_tls_alert": {
"ignore_above": 1024,
"type": "keyword"
},
"listener": {
"ignore_above": 1024,
"type": "keyword"
},
"matched_rule_priority": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"redirect_url": {
"ignore_above": 1024,
"type": "keyword"
},
"request_processing_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"response_processing_time": {
"properties": {
"sec": {
"type": "float"
}
}
},
"ssl_cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"ssl_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"target_group": {
"properties": {
"arn": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"target_port": {
"ignore_above": 1024,
"type": "keyword"
},
"target_status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"tls_handshake_time": {
"properties": {
"ms": {
"type": "long"
}
}
},
"tls_named_group": {
"ignore_above": 1024,
"type": "keyword"
},
"trace_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"s3access": {
"properties": {
"authentication_type": {
"ignore_above": 1024,
"type": "keyword"
},
"bucket": {
"ignore_above": 1024,
"type": "keyword"
},
"bucket_owner": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes_sent": {
"type": "long"
},
"cipher_suite": {
"ignore_above": 1024,
"type": "keyword"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"host_header": {
"ignore_above": 1024,
"type": "keyword"
},
"host_id": {
"ignore_above": 1024,
"type": "keyword"
},
"http_status": {
"type": "long"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"object_size": {
"type": "long"
},
"operation": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword"
},
"requester": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_version": {
"ignore_above": 1024,
"type": "keyword"
},
"tls_version": {
"ignore_above": 1024,
"type": "keyword"
},
"total_time": {
"type": "long"
},
"turn_around_time": {
"type": "long"
},
"user_agent": {
"ignore_above": 1024,
"type": "keyword"
},
"version_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpcflow": {
"properties": {
"account_id": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"instance_id": {
"ignore_above": 1024,
"type": "keyword"
},
"interface_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_status": {
"ignore_above": 1024,
"type": "keyword"
},
"pkt_dstaddr": {
"type": "ip"
},
"pkt_srcaddr": {
"type": "ip"
},
"subnet_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_array": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

604
salt/elasticsearch/templates/component/ecs/azure.json Normal file
View File

@@ -0,0 +1,604 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"azure": {
"properties": {
"activitylogs": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"properties": {
"authorization": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"evidence": {
"properties": {
"principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_type": {
"ignore_above": 1024,
"type": "keyword"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
},
"role_assignment_id": {
"ignore_above": 1024,
"type": "keyword"
},
"role_assignment_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"role_definition_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scope": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"claims": {
"properties": {
"*": {
"type": "object"
}
}
},
"claims_initiated_by_user": {
"properties": {
"fullname": {
"ignore_above": 1024,
"type": "keyword"
},
"givenname": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"schema": {
"ignore_above": 1024,
"type": "keyword"
},
"surname": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"type": "flattened"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"auditlogs": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_version": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"properties": {
"activity_datetime": {
"type": "date"
},
"activity_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"initiated_by": {
"properties": {
"app": {
"properties": {
"appId": {
"ignore_above": 1024,
"type": "keyword"
},
"displayName": {
"ignore_above": 1024,
"type": "keyword"
},
"servicePrincipalId": {
"ignore_above": 1024,
"type": "keyword"
},
"servicePrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"properties": {
"displayName": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"userPrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"logged_by_service": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_type": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
},
"result_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"target_resources": {
"properties": {
"*": {
"properties": {
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip_address": {
"ignore_above": 1024,
"type": "keyword"
},
"modified_properties": {
"properties": {
"*": {
"properties": {
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"user_principal_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"consumer_group": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"enqueued_time": {
"type": "date"
},
"eventhub": {
"ignore_above": 1024,
"type": "keyword"
},
"offset": {
"type": "long"
},
"partition_id": {
"type": "long"
},
"platformlogs": {
"properties": {
"ActivityId": {
"ignore_above": 1024,
"type": "keyword"
},
"Caller": {
"ignore_above": 1024,
"type": "keyword"
},
"Cloud": {
"ignore_above": 1024,
"type": "keyword"
},
"Environment": {
"ignore_above": 1024,
"type": "keyword"
},
"EventTimeString": {
"ignore_above": 1024,
"type": "keyword"
},
"ScaleUnit": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"ccpNamespace": {
"ignore_above": 1024,
"type": "keyword"
},
"event_category": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"type": "flattened"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource": {
"properties": {
"authorization_rule": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sequence_number": {
"type": "long"
},
"signinlogs": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operation_version": {
"ignore_above": 1024,
"type": "keyword"
},
"properties": {
"properties": {
"app_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"app_id": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_processing_details": {
"type": "flattened"
},
"authentication_requirement": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_requirement_policies": {
"ignore_above": 1024,
"type": "keyword"
},
"autonomous_system_number": {
"type": "long"
},
"client_app_used": {
"ignore_above": 1024,
"type": "keyword"
},
"conditional_access_status": {
"ignore_above": 1024,
"type": "keyword"
},
"correlation_id": {
"ignore_above": 1024,
"type": "keyword"
},
"created_at": {
"type": "date"
},
"cross_tenant_access_type": {
"ignore_above": 1024,
"type": "keyword"
},
"device_detail": {
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"device_id": {
"ignore_above": 1024,
"type": "keyword"
},
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"operating_system": {
"ignore_above": 1024,
"type": "keyword"
},
"trust_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"flagged_for_review": {
"type": "boolean"
},
"home_tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"is_interactive": {
"type": "boolean"
},
"is_tenant_restricted": {
"type": "boolean"
},
"original_request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"processing_time_ms": {
"type": "float"
},
"resource_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_id": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_detail": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_event_types": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_event_types_v2": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_level_aggregated": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_level_during_signin": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_state": {
"ignore_above": 1024,
"type": "keyword"
},
"service_principal_id": {
"ignore_above": 1024,
"type": "keyword"
},
"service_principal_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sso_extension_version": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"properties": {
"error_code": {
"type": "long"
}
}
},
"token_issuer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"token_issuer_type": {
"ignore_above": 1024,
"type": "keyword"
},
"user_display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_principal_name": {
"ignore_above": 1024,
"type": "keyword"
},
"user_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"result_description": {
"ignore_above": 1024,
"type": "keyword"
},
"result_signature": {
"ignore_above": 1024,
"type": "keyword"
},
"result_type": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"subscription_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

772
salt/elasticsearch/templates/component/ecs/cef.json Normal file
View File

@@ -0,0 +1,772 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"cef": {
"properties": {
"device": {
"properties": {
"event_class_id": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extensions": {
"properties": {
"Reason": {
"ignore_above": 1024,
"type": "keyword"
},
"agentAddress": {
"type": "ip"
},
"agentDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"agentHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"agentId": {
"ignore_above": 1024,
"type": "keyword"
},
"agentMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"agentNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"agentReceiptTime": {
"type": "date"
},
"agentTimeZone": {
"ignore_above": 1024,
"type": "keyword"
},
"agentTranslatedAddress": {
"type": "ip"
},
"agentTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"agentTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"agentType": {
"ignore_above": 1024,
"type": "keyword"
},
"agentVersion": {
"ignore_above": 1024,
"type": "keyword"
},
"agentZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"agentZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"applicationProtocol": {
"ignore_above": 1024,
"type": "keyword"
},
"baseEventCount": {
"type": "long"
},
"bytesIn": {
"type": "long"
},
"bytesOut": {
"type": "long"
},
"categoryBehavior": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryDeviceGroup": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryDeviceType": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryObject": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryOutcome": {
"ignore_above": 1024,
"type": "keyword"
},
"categorySignificance": {
"ignore_above": 1024,
"type": "keyword"
},
"categoryTechnique": {
"ignore_above": 1024,
"type": "keyword"
},
"cp_app_risk": {
"ignore_above": 1024,
"type": "keyword"
},
"cp_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"customerExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"customerURI": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationAddress": {
"type": "ip"
},
"destinationDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationGeoLatitude": {
"type": "double"
},
"destinationGeoLongitude": {
"type": "double"
},
"destinationHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationPort": {
"type": "long"
},
"destinationProcessId": {
"type": "long"
},
"destinationProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationTranslatedAddress": {
"type": "ip"
},
"destinationTranslatedPort": {
"type": "long"
},
"destinationTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationUserPrivileges": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"destinationZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceAction": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceAddress": {
"type": "ip"
},
"deviceCustomDate1": {
"type": "date"
},
"deviceCustomDate1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomDate2": {
"type": "date"
},
"deviceCustomDate2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint1": {
"type": "double"
},
"deviceCustomFloatingPoint1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint2": {
"type": "double"
},
"deviceCustomFloatingPoint2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint3": {
"type": "double"
},
"deviceCustomFloatingPoint3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomFloatingPoint4": {
"type": "double"
},
"deviceCustomFloatingPoint4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address1": {
"type": "ip"
},
"deviceCustomIPv6Address1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address2": {
"type": "ip"
},
"deviceCustomIPv6Address2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address3": {
"type": "ip"
},
"deviceCustomIPv6Address3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomIPv6Address4": {
"type": "ip"
},
"deviceCustomIPv6Address4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber1": {
"type": "long"
},
"deviceCustomNumber1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber2": {
"type": "long"
},
"deviceCustomNumber2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomNumber3": {
"type": "long"
},
"deviceCustomNumber3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString1": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString2": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString3": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString3Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString4": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString4Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString5": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString5Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString6": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceCustomString6Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceDirection": {
"type": "long"
},
"deviceDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceEventCategory": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceExternalId": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFacility": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFlexNumber1": {
"type": "long"
},
"deviceFlexNumber1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceFlexNumber2": {
"type": "long"
},
"deviceFlexNumber2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceInboundInterface": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceOutboundInterface": {
"ignore_above": 1024,
"type": "keyword"
},
"devicePayloadId": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceProcessId": {
"type": "long"
},
"deviceProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceReceiptTime": {
"type": "date"
},
"deviceTimeZone": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceTranslatedAddress": {
"type": "ip"
},
"deviceTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"endTime": {
"type": "date"
},
"eventId": {
"type": "long"
},
"eventOutcome": {
"ignore_above": 1024,
"type": "keyword"
},
"externalId": {
"ignore_above": 1024,
"type": "keyword"
},
"fileCreateTime": {
"type": "date"
},
"fileHash": {
"ignore_above": 1024,
"type": "keyword"
},
"fileId": {
"ignore_above": 1024,
"type": "keyword"
},
"fileModificationTime": {
"type": "date"
},
"filePath": {
"ignore_above": 1024,
"type": "keyword"
},
"filePermission": {
"ignore_above": 1024,
"type": "keyword"
},
"fileSize": {
"type": "long"
},
"fileType": {
"ignore_above": 1024,
"type": "keyword"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"flexDate1": {
"type": "date"
},
"flexDate1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString1": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString1Label": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString2": {
"ignore_above": 1024,
"type": "keyword"
},
"flexString2Label": {
"ignore_above": 1024,
"type": "keyword"
},
"ifname": {
"ignore_above": 1024,
"type": "keyword"
},
"inzone": {
"ignore_above": 1024,
"type": "keyword"
},
"layer_name": {
"ignore_above": 1024,
"type": "keyword"
},
"layer_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"logid": {
"ignore_above": 1024,
"type": "keyword"
},
"loguid": {
"ignore_above": 1024,
"type": "keyword"
},
"managerReceiptTime": {
"type": "date"
},
"match_id": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_addtnl_rulenum": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_rulenum": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileCreateTime": {
"type": "date"
},
"oldFileHash": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileId": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileModificationTime": {
"type": "date"
},
"oldFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFilePath": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFilePermission": {
"ignore_above": 1024,
"type": "keyword"
},
"oldFileSize": {
"type": "long"
},
"oldFileType": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"ignore_above": 1024,
"type": "keyword"
},
"originsicname": {
"ignore_above": 1024,
"type": "keyword"
},
"outzone": {
"ignore_above": 1024,
"type": "keyword"
},
"parent_rule": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"rawEvent": {
"ignore_above": 1024,
"type": "keyword"
},
"requestClientApplication": {
"ignore_above": 1024,
"type": "keyword"
},
"requestContext": {
"ignore_above": 1024,
"type": "keyword"
},
"requestCookies": {
"ignore_above": 1024,
"type": "keyword"
},
"requestMethod": {
"ignore_above": 1024,
"type": "keyword"
},
"requestUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_action": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_uid": {
"ignore_above": 1024,
"type": "keyword"
},
"sequencenum": {
"ignore_above": 1024,
"type": "keyword"
},
"service_id": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceAddress": {
"type": "ip"
},
"sourceDnsDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceGeoLatitude": {
"type": "double"
},
"sourceGeoLongitude": {
"type": "double"
},
"sourceHostName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceMacAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceNtDomain": {
"ignore_above": 1024,
"type": "keyword"
},
"sourcePort": {
"type": "long"
},
"sourceProcessId": {
"type": "long"
},
"sourceProcessName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceServiceName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceTranslatedAddress": {
"type": "ip"
},
"sourceTranslatedPort": {
"type": "long"
},
"sourceTranslatedZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceTranslatedZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserName": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceUserPrivileges": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceZoneExternalID": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceZoneURI": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"transportProtocol": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"type": "long"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

1615
salt/elasticsearch/templates/component/ecs/checkpoint.json Normal file
View File

File diff suppressed because it is too large Load Diff

620
salt/elasticsearch/templates/component/ecs/cisco.json Normal file
View File

@@ -0,0 +1,620 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"cisco": {
"properties": {
"amp": {
"properties": {
"bp_data": {
"type": "flattened"
},
"cloud_ioc": {
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"short_description": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"command_line": {
"properties": {
"arguments": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"computer": {
"properties": {
"active": {
"type": "boolean"
},
"connector_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"external_ip": {
"type": "ip"
},
"network_addresses": {
"type": "flattened"
}
}
},
"connector_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"detection": {
"ignore_above": 1024,
"type": "keyword"
},
"detection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_type_id": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"properties": {
"archived_file": {
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"identity": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"attack_details": {
"properties": {
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"attacked_module": {
"ignore_above": 1024,
"type": "keyword"
},
"base_address": {
"ignore_above": 1024,
"type": "keyword"
},
"indicators": {
"type": "flattened"
},
"suspicious_files": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"parent": {
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"group_guids": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_tactics": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_techniques": {
"ignore_above": 1024,
"type": "keyword"
},
"network_info": {
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"nfm": {
"properties": {
"direction": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"parent": {
"properties": {
"disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"identify": {
"properties": {
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"identity": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"related": {
"properties": {
"cve": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scan": {
"properties": {
"clean": {
"type": "boolean"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"malicious_detections": {
"type": "long"
},
"scanned_files": {
"type": "long"
},
"scanned_paths": {
"type": "long"
},
"scanned_processes": {
"type": "long"
}
}
},
"tactics": {
"type": "flattened"
},
"techniques": {
"type": "flattened"
},
"threat_hunting": {
"properties": {
"incident_end_time": {
"type": "date"
},
"incident_hunt_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_id": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_remediation": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_report_guid": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_start_time": {
"type": "date"
},
"incident_summary": {
"ignore_above": 1024,
"type": "keyword"
},
"incident_title": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"tactics": {
"type": "flattened"
},
"techniques": {
"type": "flattened"
}
}
},
"timestamp_nanoseconds": {
"type": "date"
},
"vulnerabilities": {
"type": "flattened"
}
}
},
"asa": {
"properties": {
"assigned_ip": {
"type": "ip"
},
"burst": {
"properties": {
"avg_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"configured_avg_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"configured_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"cumulative_count": {
"ignore_above": 1024,
"type": "keyword"
},
"current_rate": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"object": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"command_line_arguments": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dap_records": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_username": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"type": "short"
},
"icmp_type": {
"type": "short"
},
"mapped_destination_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_destination_ip": {
"type": "ip"
},
"mapped_destination_port": {
"type": "long"
},
"mapped_source_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_source_ip": {
"type": "ip"
},
"mapped_source_port": {
"type": "long"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"privilege": {
"properties": {
"new": {
"ignore_above": 1024,
"type": "keyword"
},
"old": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"session_type": {
"ignore_above": 1024,
"type": "keyword"
},
"source_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"source_username": {
"ignore_above": 1024,
"type": "keyword"
},
"suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_initiator": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_user": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_category": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_level": {
"ignore_above": 1024,
"type": "keyword"
},
"tunnel_type": {
"ignore_above": 1024,
"type": "keyword"
},
"webvpn": {
"properties": {
"group_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ftd": {
"properties": {
"connection_id": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dap_records": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_username": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"type": "short"
},
"icmp_type": {
"type": "short"
},
"mapped_destination_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_destination_ip": {
"type": "ip"
},
"mapped_destination_port": {
"type": "long"
},
"mapped_source_host": {
"ignore_above": 1024,
"type": "keyword"
},
"mapped_source_ip": {
"type": "ip"
},
"mapped_source_port": {
"type": "long"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"security": {
"type": "object"
},
"source_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"source_username": {
"ignore_above": 1024,
"type": "keyword"
},
"suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_initiator": {
"ignore_above": 1024,
"type": "keyword"
},
"termination_user": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_category": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_level": {
"ignore_above": 1024,
"type": "keyword"
},
"webvpn": {
"properties": {
"group_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"ios": {
"properties": {
"access_list": {
"ignore_above": 1024,
"type": "keyword"
},
"facility": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"umbrella": {
"properties": {
"amp_disposition": {
"ignore_above": 1024,
"type": "keyword"
},
"amp_malware_name": {
"ignore_above": 1024,
"type": "keyword"
},
"amp_score": {
"ignore_above": 1024,
"type": "keyword"
},
"av_detections": {
"ignore_above": 1024,
"type": "keyword"
},
"blocked_categories": {
"ignore_above": 1024,
"type": "keyword"
},
"categories": {
"ignore_above": 1024,
"type": "keyword"
},
"content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"datacenter": {
"ignore_above": 1024,
"type": "keyword"
},
"identities": {
"ignore_above": 1024,
"type": "keyword"
},
"identity_types": {
"ignore_above": 1024,
"type": "keyword"
},
"origin_id": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_identity_type": {
"ignore_above": 1024,
"type": "keyword"
},
"puas": {
"ignore_above": 1024,
"type": "keyword"
},
"sha_sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

305
salt/elasticsearch/templates/component/ecs/cyberark.json Normal file
View File

@@ -0,0 +1,305 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"cyberarkpas": {
"properties": {
"audit": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"ca_properties": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_disabled": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_error_details": {
"ignore_above": 1024,
"type": "keyword"
},
"cpm_status": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_method": {
"ignore_above": 1024,
"type": "keyword"
},
"customer": {
"ignore_above": 1024,
"type": "keyword"
},
"database": {
"ignore_above": 1024,
"type": "keyword"
},
"device_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dual_account_status": {
"ignore_above": 1024,
"type": "keyword"
},
"group_name": {
"ignore_above": 1024,
"type": "keyword"
},
"in_process": {
"ignore_above": 1024,
"type": "keyword"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"last_fail_date": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_change": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_reconciliation": {
"ignore_above": 1024,
"type": "keyword"
},
"last_success_verification": {
"ignore_above": 1024,
"type": "keyword"
},
"last_task": {
"ignore_above": 1024,
"type": "keyword"
},
"logon_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"other": {
"type": "flattened"
},
"policy_id": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"ignore_above": 1024,
"type": "keyword"
},
"privcloud": {
"ignore_above": 1024,
"type": "keyword"
},
"reset_immediately": {
"ignore_above": 1024,
"type": "keyword"
},
"retries_count": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence_id": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"user_dn": {
"ignore_above": 1024,
"type": "keyword"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"desc": {
"ignore_above": 1024,
"type": "keyword"
},
"extra_details": {
"properties": {
"ad_process_id": {
"ignore_above": 1024,
"type": "keyword"
},
"ad_process_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_type": {
"ignore_above": 1024,
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword"
},
"connection_component_id": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_host": {
"ignore_above": 1024,
"type": "keyword"
},
"logon_account": {
"ignore_above": 1024,
"type": "keyword"
},
"managed_account": {
"ignore_above": 1024,
"type": "keyword"
},
"other": {
"type": "flattened"
},
"process_id": {
"ignore_above": 1024,
"type": "keyword"
},
"process_name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"psmid": {
"ignore_above": 1024,
"type": "keyword"
},
"session_duration": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"src_host": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway_station": {
"type": "ip"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"iso_timestamp": {
"type": "date"
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"doc_values": false,
"ignore_above": 4096,
"index": false,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"pvwa_details": {
"type": "flattened"
},
"raw": {
"doc_values": false,
"ignore_above": 4096,
"index": false,
"type": "keyword"
},
"reason": {
"norms": false,
"type": "text"
},
"rfc5424": {
"type": "boolean"
},
"safe": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"source_user": {
"ignore_above": 1024,
"type": "keyword"
},
"station": {
"type": "ip"
},
"target_user": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

1627
salt/elasticsearch/templates/component/ecs/fortinet.json Normal file
View File

File diff suppressed because it is too large Load Diff

267
salt/elasticsearch/templates/component/ecs/gcp.json Normal file
View File

@@ -0,0 +1,267 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"gcp": {
"properties": {
"audit": {
"properties": {
"authentication_info": {
"properties": {
"authority_selector": {
"ignore_above": 1024,
"type": "keyword"
},
"principal_email": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"method_name": {
"ignore_above": 1024,
"type": "keyword"
},
"num_response_items": {
"type": "long"
},
"request": {
"properties": {
"filter": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword"
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request_metadata": {
"properties": {
"caller_ip": {
"type": "ip"
},
"caller_supplied_user_agent": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource_location": {
"properties": {
"current_locations": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword"
},
"response": {
"properties": {
"details": {
"properties": {
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"properties": {
"code": {
"type": "long"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"destination": {
"properties": {
"instance": {
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc": {
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"firewall": {
"properties": {
"rule_details": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_range": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"type": "long"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"source_range": {
"ignore_above": 1024,
"type": "keyword"
},
"source_service_account": {
"ignore_above": 1024,
"type": "keyword"
},
"source_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"target_service_account": {
"ignore_above": 1024,
"type": "keyword"
},
"target_tag": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"source": {
"properties": {
"instance": {
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vpc": {
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword"
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"vpcflow": {
"properties": {
"reporter": {
"ignore_above": 1024,
"type": "keyword"
},
"rtt": {
"properties": {
"ms": {
"type": "long"
}
}
}
}
}
}
}
}
}
}
}

750
salt/elasticsearch/templates/component/ecs/google_workspace.json Normal file
View File

@@ -0,0 +1,750 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"google_workspace": {
"properties": {
"actor": {
"properties": {
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"admin": {
"properties": {
"alert": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"api": {
"properties": {
"client": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scopes": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"application": {
"properties": {
"asp_id": {
"ignore_above": 1024,
"type": "keyword"
},
"edition": {
"ignore_above": 1024,
"type": "keyword"
},
"enabled": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"licences_order_number": {
"ignore_above": 1024,
"type": "keyword"
},
"licences_purchased": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"package_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"bulk_upload": {
"properties": {
"failed": {
"type": "long"
},
"total": {
"type": "long"
}
}
},
"chrome_licenses": {
"properties": {
"allowed": {
"ignore_above": 1024,
"type": "keyword"
},
"enabled": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"chrome_os": {
"properties": {
"session_type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"device": {
"properties": {
"command_details": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"distribution": {
"properties": {
"entity": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"secondary_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"properties": {
"log_search_filter": {
"properties": {
"end_date": {
"type": "date"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient": {
"properties": {
"ip": {
"type": "ip"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"sender": {
"properties": {
"ip": {
"type": "ip"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"start_date": {
"type": "date"
}
}
},
"quarantine_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email_dump": {
"properties": {
"include_deleted": {
"type": "boolean"
},
"package_content": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email_monitor": {
"properties": {
"dest_email": {
"ignore_above": 1024,
"type": "keyword"
},
"level": {
"properties": {
"chat": {
"ignore_above": 1024,
"type": "keyword"
},
"draft": {
"ignore_above": 1024,
"type": "keyword"
},
"incoming": {
"ignore_above": 1024,
"type": "keyword"
},
"outgoing": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"field": {
"ignore_above": 1024,
"type": "keyword"
},
"gateway": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"properties": {
"allowed_list": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"priorities": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"info_type": {
"ignore_above": 1024,
"type": "keyword"
},
"managed_configuration": {
"ignore_above": 1024,
"type": "keyword"
},
"mdm": {
"properties": {
"token": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"mobile": {
"properties": {
"action": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"certificate": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"company_owned_devices": {
"type": "long"
}
}
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"non_featured_services_selection": {
"ignore_above": 1024,
"type": "keyword"
},
"oauth2": {
"properties": {
"application": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"org_unit": {
"properties": {
"full": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"print_server": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"printer": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"privilege": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"sku": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resource": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"role": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"rule": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"setting": {
"properties": {
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"url": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user": {
"properties": {
"birthdate": {
"type": "date"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"nickname": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"user_defined_setting": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"verification_method": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"drive": {
"properties": {
"added_role": {
"ignore_above": 1024,
"type": "keyword"
},
"billable": {
"type": "boolean"
},
"destination_folder_id": {
"ignore_above": 1024,
"type": "keyword"
},
"destination_folder_title": {
"ignore_above": 1024,
"type": "keyword"
},
"file": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"properties": {
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"is_shared_drive": {
"type": "boolean"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"membership_change_type": {
"ignore_above": 1024,
"type": "keyword"
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_visibility": {
"ignore_above": 1024,
"type": "keyword"
},
"originating_app_id": {
"ignore_above": 1024,
"type": "keyword"
},
"primary_event": {
"type": "boolean"
},
"removed_role": {
"ignore_above": 1024,
"type": "keyword"
},
"shared_drive_id": {
"ignore_above": 1024,
"type": "keyword"
},
"shared_drive_settings_change_type": {
"ignore_above": 1024,
"type": "keyword"
},
"sheets_import_range_recipient_doc": {
"ignore_above": 1024,
"type": "keyword"
},
"source_folder_id": {
"ignore_above": 1024,
"type": "keyword"
},
"source_folder_title": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"ignore_above": 1024,
"type": "keyword"
},
"target_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"visibility": {
"ignore_above": 1024,
"type": "keyword"
},
"visibility_change": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"groups": {
"properties": {
"acl_permission": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"member": {
"properties": {
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"role": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"message": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"moderation_action": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"new_value": {
"ignore_above": 1024,
"type": "keyword"
},
"old_value": {
"ignore_above": 1024,
"type": "keyword"
},
"setting": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"login": {
"properties": {
"affected_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"challenge_method": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_type": {
"ignore_above": 1024,
"type": "keyword"
},
"is_second_factor": {
"type": "boolean"
},
"is_suspicious": {
"type": "boolean"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"organization": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"saml": {
"properties": {
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"failure_type": {
"ignore_above": 1024,
"type": "keyword"
},
"initiated_by": {
"ignore_above": 1024,
"type": "keyword"
},
"orgunit_path": {
"ignore_above": 1024,
"type": "keyword"
},
"second_level_status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

378
salt/elasticsearch/templates/component/ecs/juniper.json Normal file
View File

@@ -0,0 +1,378 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"juniper": {
"properties": {
"srx": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"action_detail": {
"ignore_above": 1024,
"type": "keyword"
},
"alert": {
"ignore_above": 1024,
"type": "keyword"
},
"apbr_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"application_category": {
"ignore_above": 1024,
"type": "keyword"
},
"application_characteristics": {
"ignore_above": 1024,
"type": "keyword"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_sub_category": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"client_ip": {
"type": "ip"
},
"connection_hit_rate": {
"type": "long"
},
"connection_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"context_hit_rate": {
"type": "long"
},
"context_name": {
"ignore_above": 1024,
"type": "keyword"
},
"context_value": {
"ignore_above": 1024,
"type": "keyword"
},
"context_value_hit_rate": {
"type": "long"
},
"ddos_application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dscp_value": {
"type": "long"
},
"dst_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_vrf_grp": {
"ignore_above": 1024,
"type": "keyword"
},
"elapsed_time": {
"type": "date"
},
"encrypted": {
"ignore_above": 1024,
"type": "keyword"
},
"epoch_time": {
"type": "date"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword"
},
"error_message": {
"ignore_above": 1024,
"type": "keyword"
},
"export_id": {
"type": "long"
},
"feed_name": {
"ignore_above": 1024,
"type": "keyword"
},
"file_category": {
"ignore_above": 1024,
"type": "keyword"
},
"file_hash_lookup": {
"ignore_above": 1024,
"type": "keyword"
},
"file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_type": {
"type": "long"
},
"inbound_bytes": {
"type": "long"
},
"inbound_packets": {
"type": "long"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"logical_system_name": {
"ignore_above": 1024,
"type": "keyword"
},
"malware_info": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_type": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"nat_connection_tag": {
"ignore_above": 1024,
"type": "keyword"
},
"nested_application": {
"ignore_above": 1024,
"type": "keyword"
},
"obj": {
"ignore_above": 1024,
"type": "keyword"
},
"occur_count": {
"type": "long"
},
"outbound_bytes": {
"type": "long"
},
"outbound_packets": {
"type": "long"
},
"packet_log_id": {
"type": "long"
},
"peer_destination_address": {
"type": "ip"
},
"peer_destination_port": {
"type": "long"
},
"peer_session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"peer_source_address": {
"type": "ip"
},
"peer_source_port": {
"type": "long"
},
"policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"process": {
"ignore_above": 1024,
"type": "keyword"
},
"profile": {
"ignore_above": 1024,
"type": "keyword"
},
"profile_name": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol_id": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol_name": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"repeat_count": {
"type": "long"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
},
"routing_instance": {
"ignore_above": 1024,
"type": "keyword"
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"ruleebase_name": {
"ignore_above": 1024,
"type": "keyword"
},
"sample_sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"secure_web_proxy_session_type": {
"ignore_above": 1024,
"type": "keyword"
},
"service_name": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"session_id_32": {
"ignore_above": 1024,
"type": "keyword"
},
"src_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword"
},
"src_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword"
},
"src_vrf_grp": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"sub_category": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
},
"temporary_filename": {
"ignore_above": 1024,
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword"
},
"th": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"time_count": {
"type": "long"
},
"time_period": {
"type": "long"
},
"time_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uplink_rx_bytes": {
"type": "long"
},
"uplink_tx_bytes": {
"type": "long"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
},
"verdict_number": {
"type": "long"
},
"verdict_source": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

265
salt/elasticsearch/templates/component/ecs/microsoft.json Normal file
View File

@@ -0,0 +1,265 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"microsoft": {
"properties": {
"defender_atp": {
"properties": {
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"evidence": {
"properties": {
"aadUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"accountName": {
"ignore_above": 1024,
"type": "keyword"
},
"domainName": {
"ignore_above": 1024,
"type": "keyword"
},
"entityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"type": "ip"
},
"userPrincipalName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"lastUpdateTime": {
"type": "date"
},
"rbacGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"resolvedTime": {
"type": "date"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"m365_defender": {
"properties": {
"alerts": {
"properties": {
"actorName": {
"ignore_above": 1024,
"type": "keyword"
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"creationTime": {
"type": "date"
},
"detectionSource": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"devices": {
"type": "flattened"
},
"entities": {
"properties": {
"accountName": {
"ignore_above": 1024,
"type": "keyword"
},
"clusterBy": {
"ignore_above": 1024,
"type": "keyword"
},
"deliveryAction": {
"ignore_above": 1024,
"type": "keyword"
},
"deviceId": {
"ignore_above": 1024,
"type": "keyword"
},
"entityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ipAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"mailboxAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"mailboxDisplayName": {
"ignore_above": 1024,
"type": "keyword"
},
"recipient": {
"ignore_above": 1024,
"type": "keyword"
},
"registryHive": {
"ignore_above": 1024,
"type": "keyword"
},
"registryKey": {
"ignore_above": 1024,
"type": "keyword"
},
"registryValueType": {
"ignore_above": 1024,
"type": "keyword"
},
"securityGroupId": {
"ignore_above": 1024,
"type": "keyword"
},
"securityGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"sender": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"lastUpdatedTime": {
"type": "date"
},
"mitreTechniques": {
"ignore_above": 1024,
"type": "keyword"
},
"resolvedTime": {
"type": "date"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword"
},
"userSid": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword"
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"incidentName": {
"ignore_above": 1024,
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword"
},
"redirectIncidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

425
salt/elasticsearch/templates/component/ecs/misp.json Normal file
View File

@@ -0,0 +1,425 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"misp": {
"properties": {
"attack_pattern": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"campaign": {
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"first_seen": {
"type": "date"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_seen": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"objective": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"course_of_action": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"identity": {
"properties": {
"contact_information": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"identity_class": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"sectors": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"intrusion_set": {
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"first_seen": {
"type": "date"
},
"goals": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_seen": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"primary_motivation": {
"norms": false,
"type": "text"
},
"resource_level": {
"norms": false,
"type": "text"
},
"secondary_motivations": {
"norms": false,
"type": "text"
}
}
},
"malware": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"note": {
"properties": {
"authors": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"object_refs": {
"ignore_above": 1024,
"type": "keyword"
},
"summary": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"observed_data": {
"properties": {
"first_observed": {
"type": "date"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"last_observed": {
"type": "date"
},
"number_observed": {
"type": "long"
},
"objects": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"report": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"object_refs": {
"norms": false,
"type": "text"
},
"published": {
"type": "date"
}
}
},
"threat_actor": {
"properties": {
"aliases": {
"norms": false,
"type": "text"
},
"description": {
"norms": false,
"type": "text"
},
"goals": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"personal_motivations": {
"norms": false,
"type": "text"
},
"primary_motivation": {
"norms": false,
"type": "text"
},
"resource_level": {
"norms": false,
"type": "text"
},
"roles": {
"norms": false,
"type": "text"
},
"secondary_motivations": {
"norms": false,
"type": "text"
},
"sophistication": {
"norms": false,
"type": "text"
}
}
},
"threat_indicator": {
"properties": {
"attack_pattern": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_pattern_kql": {
"ignore_above": 1024,
"type": "keyword"
},
"campaign": {
"ignore_above": 1024,
"type": "keyword"
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"norms": false,
"type": "text"
},
"feed": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"intrusion_set": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_tactic": {
"ignore_above": 1024,
"type": "keyword"
},
"mitre_technique": {
"ignore_above": 1024,
"type": "keyword"
},
"negate": {
"type": "boolean"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"threat_actor": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"valid_from": {
"type": "date"
},
"valid_until": {
"type": "date"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tool": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"kill_chain_phases": {
"norms": false,
"type": "text"
},
"labels": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"tool_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vulnerability": {
"properties": {
"description": {
"norms": false,
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

445
salt/elasticsearch/templates/component/ecs/o365.json Normal file
View File

@@ -0,0 +1,445 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"o365": {
"properties": {
"audit": {
"properties": {
"AADGroupId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorContextId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorIpAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"ActorYammerUserId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertEntityId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertId": {
"ignore_above": 1024,
"type": "keyword"
},
"AlertType": {
"ignore_above": 1024,
"type": "keyword"
},
"AppId": {
"ignore_above": 1024,
"type": "keyword"
},
"ApplicationDisplayName": {
"ignore_above": 1024,
"type": "keyword"
},
"ApplicationId": {
"ignore_above": 1024,
"type": "keyword"
},
"AzureActiveDirectoryEventType": {
"ignore_above": 1024,
"type": "keyword"
},
"Category": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientAppId": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientIP": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientIPAddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ClientInfoString": {
"ignore_above": 1024,
"type": "keyword"
},
"Comments": {
"norms": false,
"type": "text"
},
"CommunicationType": {
"ignore_above": 1024,
"type": "keyword"
},
"CorrelationId": {
"ignore_above": 1024,
"type": "keyword"
},
"CreationTime": {
"ignore_above": 1024,
"type": "keyword"
},
"CustomUniqueId": {
"ignore_above": 1024,
"type": "keyword"
},
"Data": {
"ignore_above": 1024,
"type": "keyword"
},
"DataType": {
"ignore_above": 1024,
"type": "keyword"
},
"DoNotDistributeEvent": {
"type": "boolean"
},
"EntityType": {
"ignore_above": 1024,
"type": "keyword"
},
"ErrorNumber": {
"ignore_above": 1024,
"type": "keyword"
},
"EventData": {
"ignore_above": 1024,
"type": "keyword"
},
"EventSource": {
"ignore_above": 1024,
"type": "keyword"
},
"ExceptionInfo": {
"properties": {
"*": {
"type": "object"
}
}
},
"ExchangeMetaData": {
"properties": {
"*": {
"type": "object"
}
}
},
"ExtendedProperties": {
"properties": {
"*": {
"type": "object"
}
}
},
"ExternalAccess": {
"ignore_above": 1024,
"type": "keyword"
},
"FromApp": {
"type": "boolean"
},
"GroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"Id": {
"ignore_above": 1024,
"type": "keyword"
},
"ImplicitShare": {
"ignore_above": 1024,
"type": "keyword"
},
"IncidentId": {
"ignore_above": 1024,
"type": "keyword"
},
"InterSystemsId": {
"ignore_above": 1024,
"type": "keyword"
},
"InternalLogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"IntraSystemId": {
"ignore_above": 1024,
"type": "keyword"
},
"IsDocLib": {
"type": "boolean"
},
"Item": {
"properties": {
"*": {
"properties": {
"*": {
"type": "object"
}
},
"type": "object"
}
}
},
"ItemCount": {
"type": "long"
},
"ItemName": {
"ignore_above": 1024,
"type": "keyword"
},
"ItemType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListBaseTemplateType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListBaseType": {
"ignore_above": 1024,
"type": "keyword"
},
"ListColor": {
"ignore_above": 1024,
"type": "keyword"
},
"ListIcon": {
"ignore_above": 1024,
"type": "keyword"
},
"ListId": {
"ignore_above": 1024,
"type": "keyword"
},
"ListItemUniqueId": {
"ignore_above": 1024,
"type": "keyword"
},
"ListTitle": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonError": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonType": {
"ignore_above": 1024,
"type": "keyword"
},
"LogonUserSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerMasterAccountSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerSid": {
"ignore_above": 1024,
"type": "keyword"
},
"MailboxOwnerUPN": {
"ignore_above": 1024,
"type": "keyword"
},
"Members": {
"properties": {
"*": {
"type": "object"
}
}
},
"ModifiedProperties": {
"properties": {
"*": {
"properties": {
"*": {
"type": "object"
}
}
}
}
},
"Name": {
"ignore_above": 1024,
"type": "keyword"
},
"ObjectId": {
"ignore_above": 1024,
"type": "keyword"
},
"Operation": {
"ignore_above": 1024,
"type": "keyword"
},
"OrganizationId": {
"ignore_above": 1024,
"type": "keyword"
},
"OrganizationName": {
"ignore_above": 1024,
"type": "keyword"
},
"OriginatingServer": {
"ignore_above": 1024,
"type": "keyword"
},
"Parameters": {
"properties": {
"*": {
"type": "object"
}
}
},
"PolicyId": {
"ignore_above": 1024,
"type": "keyword"
},
"RecordType": {
"ignore_above": 1024,
"type": "keyword"
},
"ResultStatus": {
"ignore_above": 1024,
"type": "keyword"
},
"SensitiveInfoDetectionIsIncluded": {
"ignore_above": 1024,
"type": "keyword"
},
"SessionId": {
"ignore_above": 1024,
"type": "keyword"
},
"Severity": {
"ignore_above": 1024,
"type": "keyword"
},
"SharePointMetaData": {
"properties": {
"*": {
"type": "object"
}
}
},
"Site": {
"ignore_above": 1024,
"type": "keyword"
},
"SiteUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"Source": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceFileExtension": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceFileName": {
"ignore_above": 1024,
"type": "keyword"
},
"SourceRelativeUrl": {
"ignore_above": 1024,
"type": "keyword"
},
"Status": {
"ignore_above": 1024,
"type": "keyword"
},
"SupportTicketId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetContextId": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserOrGroupName": {
"ignore_above": 1024,
"type": "keyword"
},
"TargetUserOrGroupType": {
"ignore_above": 1024,
"type": "keyword"
},
"TeamGuid": {
"ignore_above": 1024,
"type": "keyword"
},
"TeamName": {
"ignore_above": 1024,
"type": "keyword"
},
"TemplateTypeId": {
"ignore_above": 1024,
"type": "keyword"
},
"UniqueSharingId": {
"ignore_above": 1024,
"type": "keyword"
},
"UserAgent": {
"ignore_above": 1024,
"type": "keyword"
},
"UserId": {
"ignore_above": 1024,
"type": "keyword"
},
"UserKey": {
"ignore_above": 1024,
"type": "keyword"
},
"UserType": {
"ignore_above": 1024,
"type": "keyword"
},
"Version": {
"ignore_above": 1024,
"type": "keyword"
},
"WebId": {
"ignore_above": 1024,
"type": "keyword"
},
"Workload": {
"ignore_above": 1024,
"type": "keyword"
},
"YammerNetworkId": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

293
salt/elasticsearch/templates/component/ecs/okta.json Normal file
View File

@@ -0,0 +1,293 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"okta": {
"properties": {
"actor": {
"properties": {
"alternate_id": {
"ignore_above": 1024,
"type": "keyword"
},
"display_name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"authentication_context": {
"properties": {
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_step": {
"type": "long"
},
"credential_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"credential_type": {
"ignore_above": 1024,
"type": "keyword"
},
"external_session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"client": {
"properties": {
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user_agent": {
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_user_agent": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"debug_context": {
"properties": {
"debug_data": {
"properties": {
"device_fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword"
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword"
},
"suspicious_activity": {
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword"
},
"event_city": {
"ignore_above": 1024,
"type": "keyword"
},
"event_country": {
"ignore_above": 1024,
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_ip": {
"type": "ip"
},
"event_latitude": {
"type": "float"
},
"event_longitude": {
"type": "float"
},
"event_state": {
"ignore_above": 1024,
"type": "keyword"
},
"event_transaction_id": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
}
}
},
"threat_suspected": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"display_message": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"outcome": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"request": {
"properties": {
"ip_chain": {
"properties": {
"geographical_context": {
"properties": {
"city": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"geolocation": {
"type": "geo_point"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"security_context": {
"properties": {
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"is_proxy": {
"type": "boolean"
},
"isp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"type": "flattened"
},
"transaction": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

50
salt/elasticsearch/templates/component/ecs/redis.json Normal file
View File

@@ -0,0 +1,50 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"redis": {
"properties": {
"log": {
"properties": {
"role": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"slowlog": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"properties": {
"us": {
"type": "long"
}
}
},
"id": {
"type": "long"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

147
salt/elasticsearch/templates/component/ecs/snyk.json Normal file
View File

@@ -0,0 +1,147 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"snyk": {
"properties": {
"audit": {
"properties": {
"content": {
"type": "flattened"
},
"org_id": {
"ignore_above": 1024,
"type": "keyword"
},
"projecre_above": 1024,
"type": "keyword"
}
}
},
"projects": {
"type": "flattened"
},
"related": {
"properties": {
"projects": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vulnerabilities": {
"properties": {
"credit": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss3": {
"ignore_above": 1024,
"type": "keyword"
},
"disclosure_time": {
"type": "date"
},
"exploit_maturity": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"identifiers": {
"properties": {
"alternative": {
"ignore_above": 1024,
"type": "keyword"
},
"cwe": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"introduced_date": {
"type": "date"
},
"is_fixed": {
"type": "boolean"
},
"is_ignored": {
"type": "boolean"
},
"is_patchable": {
"type": "boolean"
},
"is_patched": {
"type": "boolean"
},
"is_pinnable": {
"type": "boolean"
},
"is_upgradable": {
"type": "boolean"
},
"jira_issue_url": {
"ignore_above": 1024,
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword"
},
"original_severity": {
"type": "long"
},
"package": {
"ignore_above": 1024,
"type": "keyword"
},
"package_manager": {
"ignore_above": 1024,
"type": "keyword"
},
"patches": {
"type": "flattened"
},
"priority_score": {
"type": "long"
},
"publication_time": {
"type": "date"
},
"reachability": {
"ignore_above": 1024,
"type": "keyword"
},
"semver": {
"type": "flattened"
},
"title": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"unique_severities_list": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}

722
salt/elasticsearch/templates/component/ecs/sophos.json Normal file
View File

@@ -0,0 +1,722 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"sophos": {
"properties": {
"xg": {
"properties": {
"Configuration": {
"type": "float"
},
"Mode": {
"ignore_above": 1024,
"type": "keyword"
},
"PHPSESSID": {
"ignore_above": 1024,
"type": "keyword"
},
"Reports": {
"type": "float"
},
"Signature": {
"type": "float"
},
"SysLog_SERVER_NAME": {
"ignore_above": 1024,
"type": "keyword"
},
"Temp": {
"type": "float"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"activityname": {
"ignore_above": 1024,
"type": "keyword"
},
"ap": {
"ignore_above": 1024,
"type": "keyword"
},
"app_is_cloud": {
"ignore_above": 1024,
"type": "keyword"
},
"appfilter_policy_id": {
"type": "long"
},
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"application_category": {
"ignore_above": 1024,
"type": "keyword"
},
"application_filter_policy": {
"type": "long"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword"
},
"application_risk": {
"ignore_above": 1024,
"type": "keyword"
},
"application_technology": {
"ignore_above": 1024,
"type": "keyword"
},
"appresolvedby": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_client": {
"ignore_above": 1024,
"type": "keyword"
},
"auth_mechanism": {
"ignore_above": 1024,
"type": "keyword"
},
"av_policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"backup_mode": {
"ignore_above": 1024,
"type": "keyword"
},
"branch_name": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"category_type": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"client_host_name": {
"ignore_above": 1024,
"type": "keyword"
},
"client_physical_address": {
"ignore_above": 1024,
"type": "keyword"
},
"clients_conn_ssid": {
"ignore_above": 1024,
"type": "keyword"
},
"collisions": {
"type": "long"
},
"con_id": {
"type": "long"
},
"conn_id": {
"type": "long"
},
"connectionname": {
"ignore_above": 1024,
"type": "keyword"
},
"connectiontype": {
"ignore_above": 1024,
"type": "keyword"
},
"connevent": {
"ignore_above": 1024,
"type": "keyword"
},
"connid": {
"ignore_above": 1024,
"type": "keyword"
},
"contenttype": {
"ignore_above": 1024,
"type": "keyword"
},
"context_match": {
"ignore_above": 1024,
"type": "keyword"
},
"context_prefix": {
"ignore_above": 1024,
"type": "keyword"
},
"context_suffix": {
"ignore_above": 1024,
"type": "keyword"
},
"cookie": {
"ignore_above": 1024,
"type": "keyword"
},
"date": {
"type": "date"
},
"destinationip": {
"type": "ip"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"device_id": {
"ignore_above": 1024,
"type": "keyword"
},
"device_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dictionary_name": {
"ignore_above": 1024,
"type": "keyword"
},
"dir_disp": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"download_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"download_file_type": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_country_code": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"dst_ip": {
"type": "ip"
},
"dst_port": {
"type": "long"
},
"dstdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"dstzone": {
"ignore_above": 1024,
"type": "keyword"
},
"dstzonetype": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"email_subject": {
"ignore_above": 1024,
"type": "keyword"
},
"ep_uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"eventid": {
"ignore_above": 1024,
"type": "keyword"
},
"eventtime": {
"type": "date"
},
"eventtype": {
"ignore_above": 1024,
"type": "keyword"
},
"exceptions": {
"ignore_above": 1024,
"type": "keyword"
},
"execution_path": {
"ignore_above": 1024,
"type": "keyword"
},
"extra": {
"ignore_above": 1024,
"type": "keyword"
},
"file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"file_path": {
"ignore_above": 1024,
"type": "keyword"
},
"file_size": {
"type": "long"
},
"filename": {
"ignore_above": 1024,
"type": "keyword"
},
"filepath": {
"ignore_above": 1024,
"type": "keyword"
},
"filesize": {
"type": "long"
},
"free": {
"type": "long"
},
"from_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"ftp_direction": {
"ignore_above": 1024,
"type": "keyword"
},
"ftp_url": {
"ignore_above": 1024,
"type": "keyword"
},
"ftpcommand": {
"ignore_above": 1024,
"type": "keyword"
},
"fw_rule_id": {
"type": "long"
},
"hb_health": {
"ignore_above": 1024,
"type": "keyword"
},
"host": {
"ignore_above": 1024,
"type": "keyword"
},
"httpresponsecode": {
"type": "long"
},
"iap": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_code": {
"ignore_above": 1024,
"type": "keyword"
},
"icmp_type": {
"ignore_above": 1024,
"type": "keyword"
},
"idle_cpu": {
"type": "float"
},
"idp_policy_id": {
"type": "long"
},
"idp_policy_name": {
"ignore_above": 1024,
"type": "keyword"
},
"in_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"interface": {
"ignore_above": 1024,
"type": "keyword"
},
"ipaddress": {
"ignore_above": 1024,
"type": "keyword"
},
"ips_policy_id": {
"type": "long"
},
"localgateway": {
"ignore_above": 1024,
"type": "keyword"
},
"localnetwork": {
"ignore_above": 1024,
"type": "keyword"
},
"log_component": {
"ignore_above": 1024,
"type": "keyword"
},
"log_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_subtype": {
"ignore_above": 1024,
"type": "keyword"
},
"log_type": {
"ignore_above": 1024,
"type": "keyword"
},
"login_user": {
"ignore_above": 1024,
"type": "keyword"
},
"mailid": {
"ignore_above": 1024,
"type": "keyword"
},
"mailsize": {
"type": "long"
},
"message": {
"ignore_above": 1024,
"type": "keyword"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword"
},
"newversion": {
"ignore_above": 1024,
"type": "keyword"
},
"oldversion": {
"ignore_above": 1024,
"type": "keyword"
},
"out_interface": {
"ignore_above": 1024,
"type": "keyword"
},
"override_authorizer": {
"ignore_above": 1024,
"type": "keyword"
},
"override_name": {
"ignore_above": 1024,
"type": "keyword"
},
"override_token": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"policy_type": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"quarantine": {
"ignore_above": 1024,
"type": "keyword"
},
"quarantine_reason": {
"ignore_above": 1024,
"type": "keyword"
},
"querystring": {
"ignore_above": 1024,
"type": "keyword"
},
"raw_data": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"received_pkts": {
"type": "long"
},
"receiveddrops": {
"type": "long"
},
"receivederrors": {
"ignore_above": 1024,
"type": "keyword"
},
"receivedkbits": {
"type": "long"
},
"recv_bytes": {
"type": "long"
},
"red_id": {
"ignore_above": 1024,
"type": "keyword"
},
"referer": {
"ignore_above": 1024,
"type": "keyword"
},
"remote_ip": {
"type": "ip"
},
"remotenetwork": {
"ignore_above": 1024,
"type": "keyword"
},
"responsetime": {
"type": "long"
},
"rule_priority": {
"ignore_above": 1024,
"type": "keyword"
},
"sent_bytes": {
"type": "long"
},
"sent_pkts": {
"type": "long"
},
"server": {
"ignore_above": 1024,
"type": "keyword"
},
"sessionid": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1sum": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_id": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_msg": {
"ignore_above": 1024,
"type": "keyword"
},
"site_category": {
"ignore_above": 1024,
"type": "keyword"
},
"source": {
"ignore_above": 1024,
"type": "keyword"
},
"sourceip": {
"type": "ip"
},
"spamaction": {
"ignore_above": 1024,
"type": "keyword"
},
"sqli": {
"ignore_above": 1024,
"type": "keyword"
},
"src_country_code": {
"ignore_above": 1024,
"type": "keyword"
},
"src_domainname": {
"ignore_above": 1024,
"type": "keyword"
},
"src_ip": {
"type": "ip"
},
"src_mac": {
"ignore_above": 1024,
"type": "keyword"
},
"src_port": {
"type": "long"
},
"srczone": {
"ignore_above": 1024,
"type": "keyword"
},
"srczonetype": {
"ignore_above": 1024,
"type": "keyword"
},
"ssid": {
"ignore_above": 1024,
"type": "keyword"
},
"start_time": {
"type": "date"
},
"starttime": {
"type": "date"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"system_cpu": {
"type": "float"
},
"target": {
"ignore_above": 1024,
"type": "keyword"
},
"threatname": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"to_email_address": {
"ignore_above": 1024,
"type": "keyword"
},
"total_memory": {
"type": "long"
},
"trans_dst_ip": {
"type": "ip"
},
"trans_dst_port": {
"type": "long"
},
"trans_src_ip": {
"type": "ip"
},
"trans_src_port": {
"type": "long"
},
"transaction_id": {
"ignore_above": 1024,
"type": "keyword"
},
"transactionid": {
"ignore_above": 1024,
"type": "keyword"
},
"transmitteddrops": {
"type": "long"
},
"transmittederrors": {
"ignore_above": 1024,
"type": "keyword"
},
"transmittedkbits": {
"type": "long"
},
"unit": {
"ignore_above": 1024,
"type": "keyword"
},
"updatedip": {
"type": "ip"
},
"upload_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"upload_file_type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"used": {
"type": "long"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"user_cpu": {
"type": "float"
},
"user_gp": {
"ignore_above": 1024,
"type": "keyword"
},
"user_group": {
"ignore_above": 1024,
"type": "keyword"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword"
},
"users": {
"ignore_above": 1024,
"type": "keyword"
},
"vconn_id": {
"type": "long"
},
"virus": {
"ignore_above": 1024,
"type": "keyword"
},
"website": {
"ignore_above": 1024,
"type": "keyword"
},
"xss": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

30
salt/elasticsearch/templates/component/ecs/syslog.json Normal file
View File

@@ -0,0 +1,30 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"syslog": {
"properties": {
"facility": {
"type": "long"
},
"facility_label": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"type": "long"
},
"severity_label": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

1
salt/elasticsearch/templates/index/so/so-aws-template.json.jinja
View File

@@ -43,6 +43,7 @@
"composed_of": [
"agent-mappings",
"dtc-agent-mappings",
"aws-mappings",
"base-mappings",
"dtc-base-mappings",
"client-mappings",

1
salt/elasticsearch/templates/index/so/so-azure-template.json.jinja
View File

@@ -43,6 +43,7 @@
"composed_of": [
"agent-mappings",
"dtc-agent-mappings",
"azure-mappings",
"base-mappings",
"dtc-base-mappings",
"client-mappings",

1
salt/elasticsearch/templates/index/so/so-cef-template.json.jinja
View File

@@ -45,6 +45,7 @@
"dtc-agent-mappings",
"base-mappings",
"dtc-base-mappings",
"cef-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",

1
salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja
View File

@@ -45,6 +45,7 @@
"dtc-agent-mappings",
"base-mappings",
"dtc-base-mappings",
"checkpoint-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",

1
salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja
View File

@@ -46,6 +46,7 @@
"dtc-agent-mappings",
"base-mappings",
"dtc-base-mappings",
"cisco-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",

1
salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja
View File

@@ -48,6 +48,7 @@
"client-mappings",
"cloud-mappings",
"container-mappings",
"cyberark-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",

1
salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja
View File

@@ -60,6 +60,7 @@
"dtc-event-mappings",
"file-mappings",
"dtc-file-mappings",
"fortinet-mappings",
"group-mappings",
"host-mappings",
"dtc-host-mappings",

1
salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja
View File

@@ -60,6 +60,7 @@
"dtc-event-mappings",
"file-mappings",
"dtc-file-mappings",
"gcp-mappings",
"group-mappings",
"host-mappings",
"dtc-host-mappings",

1
salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja
View File

@@ -60,6 +60,7 @@
"dtc-event-mappings",
"file-mappings",
"dtc-file-mappings",
"google_workspace-mappings",
"group-mappings",
"host-mappings",
"dtc-host-mappings",

1
salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja
View File

@@ -65,6 +65,7 @@
"dtc-host-mappings",
"http-mappings",
"dtc-http-mappings",
"juniper-mappings",
"log-mappings",
"network-mappings",
"dtc-network-mappings",

1
salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja
View File

@@ -66,6 +66,7 @@
"http-mappings",
"dtc-http-mappings",
"log-mappings",
"microsoft-mappings",
"network-mappings",
"dtc-network-mappings",
"observer-mappings",

1
salt/elasticsearch/templates/index/so/so-misp-template.json.jinja
View File

@@ -66,6 +66,7 @@
"http-mappings",
"dtc-http-mappings",
"log-mappings",
"misp-mappings",
"network-mappings",
"dtc-network-mappings",
"observer-mappings",

1
salt/elasticsearch/templates/index/so/so-o365-template.json.jinja
View File

@@ -68,6 +68,7 @@
"log-mappings",
"network-mappings",
"dtc-network-mappings",
"o365-mappings",
"observer-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",

1
salt/elasticsearch/templates/index/so/so-okta-template.json.jinja
View File

@@ -70,6 +70,7 @@
"dtc-network-mappings",
"observer-mappings",
"dtc-observer-mappings",
"okta-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",

1
salt/elasticsearch/templates/index/so/so-redis-template.json.jinja
View File

@@ -77,6 +77,7 @@
"dtc-process-mappings",
"registry-mappings",
"related-mappings",
"redis-mappings",
"rule-mappings",
"dtc-rule-mappings",
"server-mappings",

1
salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja
View File

@@ -82,6 +82,7 @@
"server-mappings",
"service-mappings",
"dtc-service-mappings",
"snyk-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",

1
salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja
View File

@@ -82,6 +82,7 @@
"server-mappings",
"service-mappings",
"dtc-service-mappings",
"sophos-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",

1
salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja
View File

@@ -83,6 +83,7 @@
"service-mappings",
"dtc-service-mappings",
"source-mappings",
"syslog-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",