Merge pull request #3061 from Security-Onion-Solutions/foxtrot

Fix Playbook Fields & Mappings
2025-12-06 17:22:49 +01:00 · 2021-02-21 09:40:59 -05:00
parent 40780f192e 046cc0fbb0
commit 5ca3dc492c
2 changed files with 38 additions and 15 deletions
--- a/salt/common/tools/sbin/so-playbook-sigma-refresh
+++ b/salt/common/tools/sbin/so-playbook-sigma-refresh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+docker exec so-soctopus python3 playbook_play-update.py
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -12,18 +12,16 @@
      "analyzer": {
        "es_security_analyzer": {
          "type": "custom",
-          "filter": [ "path_hierarchy_pattern_filter", "lowercase" ],
-          "tokenizer": "whitespace"
+          "char_filter": [ "whitespace_no_way" ],
+          "filter": [ "lowercase", "trim" ],
+          "tokenizer": "keyword"
+        }
      },
-        "es_security_search_analyzer": {
-          "type": "custom",
-          "filter": [ "lowercase" ],
-          "tokenizer": "whitespace"
-        },
-        "es_security_search_quote_analyzer": {
-          "type": "custom",
-          "filter": [ "lowercase" ],
-          "tokenizer": "whitespace"
+      "char_filter": {
+        "whitespace_no_way": {
+          "type": "pattern_replace",
+          "pattern": "(\\s)+",
+          "replacement": "$1"
        }
      },  
      "filter" : {
@@ -35,6 +33,12 @@
            "((?:[^/]*/)*)(.*)"
          ]
        }
+      },  
+      "tokenizer": {
+        "path_tokenizer": {
+          "type": "path_hierarchy",
+          "delimiter": "\\"
+        }
      }
    }
  },
@@ -67,13 +71,12 @@
              "type": "text",
              "fields": {
                "keyword": {
+                "ignore_above": 32765,
                 "type": "keyword"
               },
               "security": {
                 "type": "text",
-                 "analyzer": "es_security_analyzer",
-                 "search_analyzer": "es_security_search_analyzer",
-                 "search_quote_analyzer": "es_security_search_quote_analyzer"
+                 "analyzer": "es_security_analyzer"
               }
             }
            }