diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 737c1118e..bfeeadb20 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -55,7 +55,7 @@ elasticsearch: indices: query: bool: - max_clause_count: 1500 + max_clause_count: 3000 id_field_data: enabled: false logger: diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index ece110c8b..aa3c6cbd6 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -147,11 +147,13 @@ esingestdir: estemplatedir: file.directory: - - name: /opt/so/conf/elasticsearch/templates + - name: /opt/so/conf/elasticsearch/templates/index - user: 930 - group: 939 - makedirs: True + + esrolesdir: file.directory: - name: /opt/so/conf/elasticsearch/roles @@ -200,17 +202,24 @@ esyml: {% for TEMPLATE in TEMPLATES %} es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: file.managed: - - source: salt://elasticsearch/templates/{{TEMPLATE}} + - source: salt://elasticsearch/templates/index/{{TEMPLATE}} {% if 'jinja' in TEMPLATE.split('.')[-1] %} - - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} + - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}} - template: jinja {% else %} - - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}} + - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}} {% endif %} - user: 930 - group: 939 {% endfor %} +escomponenttemplates: + file.recurse: + - name: /opt/so/conf/elasticsearch/templates/component + - source: salt://elasticsearch/templates/component + - user: 930 + - group: 939 + esroles: file.recurse: - source: salt://elasticsearch/roles/ diff --git a/salt/elasticsearch/templates/component/ecs/agent.json b/salt/elasticsearch/templates/component/ecs/agent.json new file mode 100644 index 000000000..4c7f8738e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/agent.json @@ -0,0 +1,44 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/base.json b/salt/elasticsearch/templates/component/ecs/base.json new file mode 100644 index 000000000..f409ed95a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/base.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/client.json b/salt/elasticsearch/templates/component/ecs/client.json new file mode 100644 index 000000000..7f5a2169e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/client.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/cloud.json b/salt/elasticsearch/templates/component/ecs/cloud.json new file mode 100644 index 000000000..f41ab4a8f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cloud.json @@ -0,0 +1,80 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/container.json b/salt/elasticsearch/templates/component/ecs/container.json new file mode 100644 index 000000000..bd5ce8113 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/container.json @@ -0,0 +1,43 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/data_stream.json b/salt/elasticsearch/templates/component/ecs/data_stream.json new file mode 100644 index 000000000..dfbfe3f51 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/data_stream.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "data_stream": { + "properties": { + "dataset": { + "type": "constant_keyword" + }, + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/destination.json b/salt/elasticsearch/templates/component/ecs/destination.json new file mode 100644 index 000000000..4fac31200 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/destination.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/dll.json b/salt/elasticsearch/templates/component/ecs/dll.json new file mode 100644 index 000000000..84667a6b9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/dll.json @@ -0,0 +1,116 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/dns.json b/salt/elasticsearch/templates/component/ecs/dns.json new file mode 100644 index 000000000..321a061f5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/dns.json @@ -0,0 +1,91 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/ecs.json b/salt/elasticsearch/templates/component/ecs/ecs.json new file mode 100644 index 000000000..9abfcf61c --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/ecs.json @@ -0,0 +1,20 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/error.json b/salt/elasticsearch/templates/component/ecs/error.json new file mode 100644 index 000000000..c33f580ab --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/error.json @@ -0,0 +1,39 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "match_only_text" + }, + "stack_trace": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/event.json b/salt/elasticsearch/templates/component/ecs/event.json new file mode 100644 index 000000000..0d43760a2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/event.json @@ -0,0 +1,112 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/file.json b/salt/elasticsearch/templates/component/ecs/file.json new file mode 100644 index 000000000..6242cc324 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/file.json @@ -0,0 +1,424 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/group.json b/salt/elasticsearch/templates/component/ecs/group.json new file mode 100644 index 000000000..ed40b4d9f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/group.json @@ -0,0 +1,28 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/host.json b/salt/elasticsearch/templates/component/ecs/host.json new file mode 100644 index 000000000..cf69aad56 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/host.json @@ -0,0 +1,247 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/http.json b/salt/elasticsearch/templates/component/ecs/http.json new file mode 100644 index 000000000..d6164a191 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/http.json @@ -0,0 +1,87 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/log.json b/salt/elasticsearch/templates/component/ecs/log.json new file mode 100644 index 000000000..e79661b5e --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/log.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/network.json b/salt/elasticsearch/templates/component/ecs/network.json new file mode 100644 index 000000000..c2e35efd0 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/network.json @@ -0,0 +1,86 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/observer.json b/salt/elasticsearch/templates/component/ecs/observer.json new file mode 100644 index 000000000..ecd3b1155 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/observer.json @@ -0,0 +1,214 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/orchestrator.json b/salt/elasticsearch/templates/component/ecs/orchestrator.json new file mode 100644 index 000000000..87f2af201 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/orchestrator.json @@ -0,0 +1,60 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/organization.json b/salt/elasticsearch/templates/component/ecs/organization.json new file mode 100644 index 000000000..b0ea050fa --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/organization.json @@ -0,0 +1,29 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/package.json b/salt/elasticsearch/templates/component/ecs/package.json new file mode 100644 index 000000000..b726f8f7f --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/package.json @@ -0,0 +1,66 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/process.json b/salt/elasticsearch/templates/component/ecs/process.json new file mode 100644 index 000000000..a95fe6bba --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/process.json @@ -0,0 +1,612 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/registry.json b/salt/elasticsearch/templates/component/ecs/registry.json new file mode 100644 index 000000000..7cfa34ad6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/registry.json @@ -0,0 +1,47 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/related.json b/salt/elasticsearch/templates/component/ecs/related.json new file mode 100644 index 000000000..1af1593c8 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/related.json @@ -0,0 +1,31 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/rule.json b/salt/elasticsearch/templates/component/ecs/rule.json new file mode 100644 index 000000000..400c64f6d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/rule.json @@ -0,0 +1,56 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/server.json b/salt/elasticsearch/templates/component/ecs/server.json new file mode 100644 index 000000000..a7587e954 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/server.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/service.json b/salt/elasticsearch/templates/component/ecs/service.json new file mode 100644 index 000000000..2fbdad6d4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/service.json @@ -0,0 +1,56 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/source.json b/salt/elasticsearch/templates/component/ecs/source.json new file mode 100644 index 000000000..9408e0133 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/source.json @@ -0,0 +1,187 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/threat.json b/salt/elasticsearch/templates/component/ecs/threat.json new file mode 100644 index 000000000..4bed345e1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/threat.json @@ -0,0 +1,1650 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-threat.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/tls.json b/salt/elasticsearch/templates/component/ecs/tls.json new file mode 100644 index 000000000..413f217ad --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/tls.json @@ -0,0 +1,354 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/tracing.json b/salt/elasticsearch/templates/component/ecs/tracing.json new file mode 100644 index 000000000..7db45e4a2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/tracing.json @@ -0,0 +1,36 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/url.json b/salt/elasticsearch/templates/component/ecs/url.json new file mode 100644 index 000000000..efdaed1fb --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/url.json @@ -0,0 +1,78 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/user.json b/salt/elasticsearch/templates/component/ecs/user.json new file mode 100644 index 000000000..1ad4bac67 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/user.json @@ -0,0 +1,244 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/user_agent.json b/salt/elasticsearch/templates/component/ecs/user_agent.json new file mode 100644 index 000000000..9a0517e6d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/user_agent.json @@ -0,0 +1,83 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/vulnerability.json b/salt/elasticsearch/templates/component/ecs/vulnerability.json new file mode 100644 index 000000000..d7d8db4d6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/vulnerability.json @@ -0,0 +1,78 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/so/case-mappings.json b/salt/elasticsearch/templates/component/so/case-mappings.json new file mode 100644 index 000000000..aef586459 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/case-mappings.json @@ -0,0 +1,213 @@ + { + "template": { + "mappings": { + "properties": { + "so_audit_doc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_related": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fields": { + "eager_global_ordinals": false, + "ignore_above": 1024, + "index": true, + "type": "flattened", + "index_options": "docs", + "split_queries_on_whitespace": false, + "doc_values": true + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "@timestamp": { + "type": "date" + }, + "so_artifactstream": { + "properties": { + "createTime": { + "type": "date" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "content": { + "type": "text" + } + } + }, + "so_comment": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "text" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_case": { + "properties": { + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "template": { + "ignore_above": 1024, + "type": "keyword" + }, + "completeTime": { + "type": "date" + }, + "description": { + "type": "text" + }, + "priority": { + "type": "long" + }, + "title": { + "type": "text" + }, + "assigneeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "pap": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_artifact": { + "properties": { + "artifactType": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamId": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamLength": { + "type": "long" + }, + "description": { + "type": "text" + }, + "mimeType": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "ioc": { + "type": "boolean" + }, + "value": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } +} diff --git a/salt/elasticsearch/templates/component/so/case-settings.json b/salt/elasticsearch/templates/component/so/case-settings.json new file mode 100644 index 000000000..3a4429926 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/case-settings.json @@ -0,0 +1,65 @@ +{ + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" + } + } + }, + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion Cases indices" + } +} diff --git a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json new file mode 100644 index 000000000..7ae4ae86c --- /dev/null +++ b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json @@ -0,0 +1,56 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [ + { + "ip_address": { + "path_match": "*.ip", + "mapping": { + "type": "ip", + "fields": { + "keyword": { + "ignore_above": 45, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + }, + { + "port": { + "path_match": "*.port", + "path_unmatch": "*.data.port", + "mapping": { + "type": "integer", + "fields": { + "keyword": { + "ignore_above": 6, + "type": "keyword" + } + } + } + } + }, + { + "strings": { + "mapping": { + "type": "text", + "fields": { + "security": { + "analyzer": "es_security_analyzer", + "type": "text" + }, + "keyword": { + "ignore_above": 32765, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + } + ] + } + } +} diff --git a/salt/elasticsearch/templates/component/so/common-settings.json b/salt/elasticsearch/templates/component/so/common-settings.json new file mode 100644 index 000000000..729ba3388 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/common-settings.json @@ -0,0 +1,65 @@ +{ + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" + } + } + }, + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion indices" + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings b/salt/elasticsearch/templates/component/so/dtc-event-mappings new file mode 100644 index 000000000..1b4798487 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings @@ -0,0 +1,127 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings b/salt/elasticsearch/templates/component/so/dtc-observer-mappings new file mode 100644 index 000000000..1168cd100 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings @@ -0,0 +1,219 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "match_only_text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/custom/place_custom_template_in_local b/salt/elasticsearch/templates/index/custom/place_custom_template_in_local similarity index 100% rename from salt/elasticsearch/templates/custom/place_custom_template_in_local rename to salt/elasticsearch/templates/index/custom/place_custom_template_in_local diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja new file mode 100644 index 000000000..4217cb2b0 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-aws:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-aws:field_limit', 3000) %} +{ + "index_patterns": [ + "so-aws*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja new file mode 100644 index 000000000..a3d30e9b2 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-azure:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-azure:field_limit', 3000) %} +{ + "index_patterns": [ + "so-azure*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja new file mode 100644 index 000000000..4a7dfb7bd --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:field_limit', 3000) %} +{ + "index_patterns": [ + "so-barracuda*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja new file mode 100644 index 000000000..bb55bb52a --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-beats:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-beats:field_limit', 3000) %} +{ + "index_patterns": [ + "so-beats*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja new file mode 100644 index 000000000..c135b4173 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:field_limit', 3000) %} +{ + "index_patterns": [ + "so-bluecoat*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-case-template.json.jinja b/salt/elasticsearch/templates/index/so/so-case-template.json.jinja new file mode 100644 index 000000000..3e526979d --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-case-template.json.jinja @@ -0,0 +1,53 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-case:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-case:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-case:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-case:field_limit', 2000) %} +{ + "index_patterns": [ + "so-case*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "case-mappings", + "case-settings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes Cases fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja new file mode 100644 index 000000000..f76e79043 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cef:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cef:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cef*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja new file mode 100644 index 000000000..7a097e4dd --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:field_limit', 3000) %} +{ + "index_patterns": [ + "so-checkpoint*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja new file mode 100644 index 000000000..1e35a944e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja @@ -0,0 +1,90 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cisco:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cisco:field_limit', 3000) %} +{ + "index_templates": [ + { + "so-cisco*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-common-template.json.jinja b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja new file mode 100644 index 000000000..6560fb701 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-common:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-common:priority', 1) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-common:field_limit', 3000) %} +{ + "index_patterns": [ + "so-*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "sort.field": "@timestamp", + "sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja new file mode 100644 index 000000000..4f321448e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cyberark*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja new file mode 100644 index 000000000..f2baf8883 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cylance:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cylance:field_limit', 3000) %} +{ + "index_patterns": [ + "so-cylance*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja new file mode 100644 index 000000000..8308393e9 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:field_limit', 3000) %} +{ + "index_patterns": [ + "so-elasticsearch*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja new file mode 100644 index 000000000..dfc1a1940 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-endgame:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-endgame:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-endgame:field_limit', 3000) %} +{ + "index_patterns": [ + "so-endgame*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja new file mode 100644 index 000000000..02077b4cd --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-f5:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-f5:field_limit', 3000) %} +{ + "index_patterns": [ + "so-f5*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja new file mode 100644 index 000000000..a809cd024 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-firewall:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-firewall:field_limit', 3000) %} +{ + "index_patterns": [ + "so-firewall*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja new file mode 100644 index 000000000..773eaf059 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-flow:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-flow:field_limit', 3000) %} +{ + "index_patterns": [ + "so-flow*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja new file mode 100644 index 000000000..1595c840e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:field_limit', 3000) %} +{ + "index_patterns": [ + "so-fortinet*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja new file mode 100644 index 000000000..bb0671aa0 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-gcp:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-gcp:field_limit', 3000) %} +{ + "index_patterns": [ + "so-gcp*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja new file mode 100644 index 000000000..eca2e3278 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:field_limit', 3000) %} +{ + "index_patterns": [ + "so-google_workspace*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja new file mode 100644 index 000000000..b15f6e2ac --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ids:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ids:field_limit', 3000) %} +{ + "index_patterns": [ + "so-ids*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja new file mode 100644 index 000000000..00ae35827 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-imperva:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-imperva:field_limit', 3000) %} +{ + "index_patterns": [ + "so-imperva*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja new file mode 100644 index 000000000..d171b1a88 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-import:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-import:field_limit', 3000) %} +{ + "index_patterns": [ + "so-import*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja new file mode 100644 index 000000000..d39781e60 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:field_limit', 3000) %} +{ + "index_patterns": [ + "so-infoblox*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja new file mode 100644 index 000000000..75ba13aa8 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-juniper:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-juniper:field_limit', 3000) %} +{ + "index_patterns": [ + "so-juniper*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja new file mode 100644 index 000000000..45a957b3a --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-kibana:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-kibana:field_limit', 3000) %} +{ + "index_patterns": [ + "so-kibana*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja new file mode 100644 index 000000000..dd155df43 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-logstash:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-logstash:field_limit', 3000) %} +{ + "index_patterns": [ + "so-logstash*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja new file mode 100644 index 000000000..c12ec77b3 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:field_limit', 3000) %} +{ + "index_patterns": [ + "so-microsoft*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja new file mode 100644 index 000000000..d4b014be4 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-misp:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-misp:field_limit', 3000) %} +{ + "index_patterns": [ + "so-misp*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja new file mode 100644 index 000000000..ca53ce81b --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netflow:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netflow:field_limit', 3000) %} +{ + "index_patterns": [ + "so-netflow*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja new file mode 100644 index 000000000..eb54157e3 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netscout:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netscout:field_limit', 3000) %} +{ + "index_patterns": [ + "so-netscout*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja new file mode 100644 index 000000000..9be552c41 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-o365:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-o365:field_limit', 3000) %} +{ + "index_patterns": [ + "so-o365*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja new file mode 100644 index 000000000..484882b1a --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-okta:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-okta:field_limit', 3000) %} +{ + "index_patterns": [ + "so-okta*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja new file mode 100644 index 000000000..12124590e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-osquery:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-osquery:field_limit', 3000) %} +{ + "index_patterns": [ + "so-osquery*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja new file mode 100644 index 000000000..4eacd09ae --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ossec:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ossec:field_limit', 3000) %} +{ + "index_patterns": [ + "so-ossec*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja new file mode 100644 index 000000000..34a1b3a0c --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:field_limit', 3000) %} +{ + "index_patterns": [ + "so-proofpoint*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja new file mode 100644 index 000000000..015051b5e --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-radware:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-radware:field_limit', 3000) %} +{ + "index_patterns": [ + "so-radware*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja new file mode 100644 index 000000000..428b68746 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-redis:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-redis:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-redis:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-redis:field_limit', 3000) %} +{ + "index_patterns": [ + "so-redis*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja new file mode 100644 index 000000000..833534a84 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snort:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snort:field_limit', 3000) %} +{ + "index_patterns": [ + "so-snort*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja new file mode 100644 index 000000000..bfd6ce8aa --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snyk:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snyk:field_limit', 3000) %} +{ + "index_patterns": [ + "so-snyk*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja new file mode 100644 index 000000000..bf3d96a16 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja @@ -0,0 +1,89 @@ +i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:field_limit', 3000) %} +{ + "index_patterns": [ + "so-sonicwall*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja new file mode 100644 index 000000000..733b9adf6 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sophos:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sophos:field_limit', 3000) %} +{ + "index_patterns": [ + "so-sophos*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja new file mode 100644 index 000000000..ed7e74be8 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-squid:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-squid:field_limit', 3000) %} +{ + "index_patterns": [ + "so-squid*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja new file mode 100644 index 000000000..c66ac0db6 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-strelka:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-strelka:field_limit', 3000) %} +{ + "index_patterns": [ + "so-strelka*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja new file mode 100644 index 000000000..eb14b1a98 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-syslog:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-syslog:field_limit', 3000) %} +{ + "index_patterns": [ + "so-syslog*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja new file mode 100644 index 000000000..a98f06f56 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:field_limit', 3000) %} +{ + "index_patterns": [ + "so-tomcat*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja new file mode 100644 index 000000000..e2f6e0210 --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zeek:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zeek:field_limit', 3000) %} +{ + "index_patterns": [ + "so-zeek*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja new file mode 100644 index 000000000..b26fda66a --- /dev/null +++ b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja @@ -0,0 +1,89 @@ +{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %} +{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:priority', 500) %} +{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:field_limit', 3000) %} +{ + "index_patterns": [ + "so-zscaler*" + ], + "template": { + "mappings": { + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + }, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": {{ FIELD_LIMIT }} + } + }, + {%- if INDEX_SORTING is sameas true %} + "index.sort.field": "@timestamp", + "index.sort.order": "desc", + {%- endif %} + "refresh_interval": "{{ REFRESH }}", + "number_of_shards": {{ SHARDS }}, + "number_of_replicas": {{ REPLICAS }} + } + } + }, + "composed_of": [ + "agent-mappings", + "base-mappings", + "client-mappings", + "cloud-mappings", + "container-mappings", + "data_stream-mappings", + "destination-mappings", + "dll-mappings", + "dns-mappings", + "ecs-mappings", + "error-mappings", + "dtc-event-mappings", + "file-mappings", + "group-mappings", + "host-mappings", + "http-mappings", + "log-mappings", + "network-mappings", + "dtc-observer-mappings", + "orchestrator-mappings", + "organization-mappings", + "package-mappings", + "process-mappings", + "registry-mappings", + "related-mappings", + "rule-mappings", + "server-mappings", + "service-mappings", + "source-mappings", + "threat-mappings", + "tls-mappings", + "tracing-mappings", + "url-mappings", + "user_agent-mappings", + "user-mappings", + "vulnerability-mappings", + "common-settings", + "common-dynamic-mappings" + ], + "priority": {{ PRIORITY }}, + "_meta": { + "description": "Composable template that includes SO base fields", + "ecs_version": "1.12" + } + } + } diff --git a/salt/elasticsearch/templates/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/so/so-aws-template.json.jinja deleted file mode 100644 index 19b23dfba..000000000 --- a/salt/elasticsearch/templates/so/so-aws-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %} -{ - "index_patterns": ["so-aws-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/so/so-azure-template.json.jinja deleted file mode 100644 index 51a266479..000000000 --- a/salt/elasticsearch/templates/so/so-azure-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %} -{ - "index_patterns": ["so-azure-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja b/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja deleted file mode 100644 index 66967d6d1..000000000 --- a/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %} -{ - "index_patterns": ["so-barracuda-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/so/so-beats-template.json.jinja deleted file mode 100644 index 6d2cf7851..000000000 --- a/salt/elasticsearch/templates/so/so-beats-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %} -{ - "index_patterns": ["so-beats-*"], - "version": 50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja b/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja deleted file mode 100644 index b1714183e..000000000 --- a/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %} -{ - "index_patterns": ["so-bluecoat-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-case-template.json.jinja b/salt/elasticsearch/templates/so/so-case-template.json.jinja deleted file mode 100644 index a61bd21be..000000000 --- a/salt/elasticsearch/templates/so/so-case-template.json.jinja +++ /dev/null @@ -1,226 +0,0 @@ -{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} -{ - "index_patterns": ["so-case*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":1, - "index.refresh_interval":"{{ REFRESH }}", - "index.routing.allocation.require.box_type":"hot", - "index.mapping.total_fields.limit": "1500" - }, - "mappings": { - "_meta": { - "version": "1.5.0" - }, - "dynamic": false, - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "so_kind": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_operation": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_audit_doc_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "so_artifact": { - "properties": { - "artifactType": { - "type": "keyword", - "ignore_above": 1024 - }, - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "groupId": { - "type": "keyword", - "ignore_above": 1024 - }, - "groupType": { - "type": "keyword", - "ignore_above": 1024 - }, - "ioc": { - "type": "boolean" - }, - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "mimeType": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "streamId": { - "type": "keyword", - "ignore_above": 1024 - }, - "streamLength": { - "type": "long" - }, - "tags": { - "type": "keyword", - "ignore_above": 1024 - }, - "tlp": { - "type": "keyword", - "ignore_above": 1024 - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - }, - "value": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "so_artifactstream": { - "properties": { - "content": { - "type": "text" - }, - "createTime": { - "type": "date" - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_case": { - "properties": { - "assigneeId": { - "type": "keyword", - "ignore_above": 1024 - }, - "category": { - "type": "keyword", - "ignore_above": 1024 - }, - "completeTime": { - "type": "date" - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "pap": { - "type": "keyword", - "ignore_above": 1024 - }, - "priority": { - "type": "long" - }, - "severity": { - "type": "keyword", - "ignore_above": 1024 - }, - "startTime": { - "type": "date" - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "tags": { - "type": "keyword", - "ignore_above": 1024 - }, - "template": { - "type": "keyword", - "ignore_above": 1024 - }, - "title": { - "type": "text" - }, - "tlp": { - "type": "keyword", - "ignore_above": 1024 - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_comment": { - "properties": { - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "so_related": { - "properties": { - "caseId": { - "type": "keyword", - "ignore_above": 1024 - }, - "createTime": { - "type": "date" - }, - "fields": { - "eager_global_ordinals": false, - "ignore_above": 1024, - "index": true, - "type": "flattened", - "index_options": "docs", - "split_queries_on_whitespace": false, - "doc_values": true - }, - "userId": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/so/so-cef-template.json.jinja deleted file mode 100644 index 0081d42e1..000000000 --- a/salt/elasticsearch/templates/so/so-cef-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %} -{ - "index_patterns": ["so-cef-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja deleted file mode 100644 index 5d41946cf..000000000 --- a/salt/elasticsearch/templates/so/so-checkpoint-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %} -{ - "index_patterns": ["so-checkpoint-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/so/so-cisco-template.json.jinja deleted file mode 100644 index e6e6d14d0..000000000 --- a/salt/elasticsearch/templates/so/so-cisco-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %} -{ - "index_patterns": ["so-cisco-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja deleted file mode 100644 index 4a41cba8a..000000000 --- a/salt/elasticsearch/templates/so/so-common-template.json.jinja +++ /dev/null @@ -1,702 +0,0 @@ -{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} -{ - "index_patterns": ["so-*"], - "version":50001, - "order":10, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":1, - "index.refresh_interval":"{{ REFRESH }}", - "index.routing.allocation.require.box_type":"hot", - "index.mapping.total_fields.limit": "1500", -{%- if INDEX_SORTING is sameas true %} - "index.sort.field": "@timestamp", - "index.sort.order": "desc", -{%- endif %} - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ "whitespace_no_way" ], - "filter": [ "lowercase", "trim" ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter" : { - "path_hierarchy_pattern_filter": { - "type" : "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - } - }, - "mappings":{ - "dynamic":false, - "date_detection":false, - "dynamic_templates": [ - { - "ip_address": { - "match_mapping_type": "string", - "path_match": "*.ip", - "mapping": { - "type": "ip", - "fields" : { - "keyword" : { - "ignore_above" : 45, - "type" : "keyword" - } - } - - } - } - }, - { - "port": { - "path_match": "*.port", - "path_unmatch": "*.data.port", - "mapping": { - "type": "integer", - "fields" : { - "keyword" : { - "ignore_above" : 6, - "type" : "keyword" - } - } - - } - } - }, - { - "strings": { - "match_mapping_type": "string", - "mapping": { - "type": "text", - "fields": { - "keyword": { - "ignore_above": 32765, - "type": "keyword" - }, - "security": { - "type": "text", - "analyzer": "es_security_analyzer" - } - } - } - } - }], - "properties":{ - "@timestamp":{ - "type":"date" - }, - "@version":{ - "type":"keyword" - }, - "osquery":{ - "type":"object", - "dynamic":true - }, - "geoip":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "destination_geo":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "source_geo":{ - "dynamic":true, - "properties":{ - "ip":{ - "type":"ip" - }, - "location":{ - "type":"geo_point" - }, - "latitude":{ - "type":"half_float" - }, - "longitude":{ - "type":"half_float" - } - } - }, - "agent":{ - "type":"object", - "dynamic": true - }, - "as":{ - "type":"object", - "dynamic": true - }, - "alert":{ - "type":"object", - "dynamic": true - }, - "client":{ - "type":"object", - "dynamic": true - }, - "cloud":{ - "type":"object", - "dynamic": true - }, - "code_signature":{ - "type":"object", - "dynamic": true - }, - "connection":{ - "type":"object", - "dynamic": true - }, - "container":{ - "type":"object", - "dynamic": true - }, - "data":{ - "type":"object", - "dynamic": true - }, - "dce_rpc":{ - "type":"object", - "dynamic": true - }, - "destination":{ - "type":"object", - "dynamic": true - }, - "dhcp":{ - "type":"object", - "dynamic": true - }, - "dnp3":{ - "type":"object", - "dynamic": true - }, - "dns":{ - "type":"object", - "dynamic": true - }, - "dll":{ - "type":"object", - "dynamic": true - }, - "ecs":{ - "type":"object", - "dynamic": true - }, - "error":{ - "type":"object", - "dynamic": true - }, - "event":{ - "type":"object", - "dynamic": true - }, - "event_data":{ - "type":"object", - "dynamic": true - }, - "file":{ - "type":"object", - "dynamic": true - }, - "flow":{ - "type":"object", - "dynamic": true - }, - "ftp":{ - "type":"object", - "dynamic": true - }, - "geo":{ - "type":"object", - "dynamic": true - }, - "group":{ - "type":"object", - "dynamic": true - }, - "hash":{ - "type":"object", - "dynamic": true - }, - "host":{ - "type":"object", - "dynamic": true - }, - "http":{ - "type":"object", - "dynamic": true - }, - "import":{ - "type":"object", - "dynamic": true - }, - "ingest":{ - "type":"object", - "dynamic": true, - "properties":{ - "timestamp":{ - "type":"date" - } - } - }, - "intel":{ - "type":"object", - "dynamic": true, - "properties":{ - "indicator":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword" - } - } - } - } - }, - "interface":{ - "type":"object", - "dynamic": true - }, - "ip":{ - "type":"object", - "dynamic": true - }, - "irc":{ - "type":"object", - "dynamic": true - }, - "kerberos":{ - "type":"object", - "dynamic": true - }, - "log":{ - "type":"object", - "dynamic": true - }, - "logscan": { - "type": "object", - "dynamic": true - }, - "manager":{ - "type":"object", - "dynamic": true - }, - "message":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword", - "ignore_above": 32766 - } - } - }, - "modbus":{ - "type":"object", - "dynamic": true - }, - "mysql":{ - "type":"object", - "dynamic": true - }, - "network":{ - "type":"object", - "dynamic": true - }, - "notice":{ - "type":"object", - "dynamic": true - }, - "ntlm":{ - "type":"object", - "dynamic": true - }, - "observer":{ - "type":"object", - "dynamic": true - }, - "organization":{ - "type":"object", - "dynamic": true - }, - "os":{ - "type":"object", - "dynamic": true - }, - "package":{ - "type":"object", - "dynamic": true - }, - "pe":{ - "type":"object", - "dynamic": true - }, - "process":{ - "type":"object", - "dynamic": true - }, - "radius":{ - "type":"object", - "dynamic": true - }, - "rdp":{ - "type":"object", - "dynamic": true - }, - "registry":{ - "type":"object", - "dynamic": true - }, - "related":{ - "type":"object", - "dynamic": true - }, - "request":{ - "type":"object", - "dynamic": true - }, - "result":{ - "type":"object", - "dynamic": true - }, - "rfb":{ - "type":"object", - "dynamic": true - }, - "rule":{ - "type":"object", - "dynamic":true, - "properties":{ - "score":{ - "type":"long" - }, - "uuid":{ - "type":"keyword" - } - } - }, - "scan":{ - "type":"object", - "dynamic": true, - "properties":{ - "exiftool":{ - "type":"text" - } - } - }, - "server":{ - "type":"object", - "dynamic": true - }, - "service":{ - "type":"object", - "dynamic": true - }, - "sip":{ - "type":"object", - "dynamic": true - }, - "smb":{ - "type":"object", - "dynamic": true - }, - "smtp":{ - "type":"object", - "dynamic": true - }, - "snmp":{ - "type":"object", - "dynamic": true - }, - "socks":{ - "type":"object", - "dynamic": true - }, - "software":{ - "type":"object", - "dynamic": true - }, - "source":{ - "type":"object", - "dynamic": true - }, - "ssh":{ - "type":"object", - "dynamic": true - }, - "ssl":{ - "type":"object", - "dynamic": true - }, - "syslog":{ - "type":"object", - "dynamic": true - }, - "tags":{ - "type":"text", - "fields":{ - "keyword":{ - "type":"keyword" - } - } - }, - "threat":{ - "type":"object", - "dynamic": true - }, - "tls":{ - "type":"object", - "dynamic": true - }, - "trace":{ - "type":"object", - "dynamic": true - }, - "tunnel":{ - "type":"object", - "dynamic": true - }, - "user":{ - "type":"object", - "dynamic": true - }, - "user_agent":{ - "type":"object", - "dynamic": true - }, - "version":{ - "type":"object", - "dynamic": true - }, - "vlan":{ - "type":"object", - "dynamic": true - }, - "vulnerability":{ - "type":"object", - "dynamic": true - }, - "weird":{ - "type":"object", - "dynamic": true - }, - "winlog":{ - "type":"object", - "dynamic": true, - "properties":{ - "event_id":{ - "type":"long" - }, - "event_data":{ - "type":"object" - }, - "version":{ - "type":"long" - } - } - }, - "x509":{ - "type":"object", - "dynamic": true - }, - "suricata":{ - "type":"object", - "dynamic": true - }, - "zeek":{ - "type":"object", - "dynamic": true - }, - "aws":{ - "type":"object", - "dynamic": true - }, - "azure":{ - "type":"object", - "dynamic": true - }, - "barracuda":{ - "type":"object", - "dynamic": true - }, - "bluecoat":{ - "type":"object", - "dynamic": true - }, - "cef":{ - "type":"object", - "dynamic": true - }, - "checkpoint":{ - "type":"object", - "dynamic": true - }, - "cisco":{ - "type":"object", - "dynamic": true - }, - "cyberark":{ - "type":"object", - "dynamic": true - }, - "cylance":{ - "type":"object", - "dynamic": true - }, - "f5":{ - "type":"object", - "dynamic": true - }, - "fortinet":{ - "type":"object", - "dynamic": true - }, - "gcp":{ - "type":"object", - "dynamic": true - }, - "google_workspace":{ - "type":"object", - "dynamic": true - }, - "imperva":{ - "type":"object", - "dynamic": true - }, - "infoblox":{ - "type":"object", - "dynamic": true - }, - "juniper":{ - "type":"object", - "dynamic": true - }, - "microsoft":{ - "type":"object", - "dynamic": true - }, - "misp":{ - "type":"object", - "dynamic": true - }, - "netflow":{ - "type":"object", - "dynamic": true - }, - "netscout":{ - "type":"object", - "dynamic": true - }, - "o365":{ - "type":"object", - "dynamic": true - }, - "okta":{ - "type":"object", - "dynamic": true - }, - "proofpoint":{ - "type":"object", - "dynamic": true - }, - "radware":{ - "type":"object", - "dynamic": true - }, - "snort":{ - "type":"object", - "dynamic": true - }, - "snyk":{ - "type":"object", - "dynamic": true - }, - "sonicwall":{ - "type":"object", - "dynamic": true - }, - "sophos":{ - "type":"object", - "dynamic": true - }, - "squid":{ - "type":"object", - "dynamic": true - }, - "tomcat":{ - "type":"object", - "dynamic": true - }, - "zcaler":{ - "type":"object", - "dynamic": true - }, - "elasticsearch":{ - "type":"object", - "dynamic": true - }, - "kibana":{ - "type":"object", - "dynamic": true - }, - "logstash":{ - "type":"object", - "dynamic": true - }, - "redis":{ - "type":"object", - "dynamic": true - }, - "wazuh":{ - "type":"object", - "dynamic": true - } - } - } -} diff --git a/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja deleted file mode 100644 index 1647d600f..000000000 --- a/salt/elasticsearch/templates/so/so-cyberark-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %} -{ - "index_patterns": ["so-cyberark-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-cylance-template.json.jinja b/salt/elasticsearch/templates/so/so-cylance-template.json.jinja deleted file mode 100644 index 4ba7d0316..000000000 --- a/salt/elasticsearch/templates/so/so-cylance-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %} -{ - "index_patterns": ["so-cylance-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja b/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja deleted file mode 100644 index 16aaaec13..000000000 --- a/salt/elasticsearch/templates/so/so-elasticsearch-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %} -{ - "index_patterns": ["so-elasticsearch-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-endgame-template.json.jinja b/salt/elasticsearch/templates/so/so-endgame-template.json.jinja deleted file mode 100644 index 6d2b89b27..000000000 --- a/salt/elasticsearch/templates/so/so-endgame-template.json.jinja +++ /dev/null @@ -1,2976 +0,0 @@ -{ - "index_patterns": ["endgame-*"], - "version":50002, - "order":1, - "mappings": { - "_meta": { - "version": "1.5.0" - }, - "date_detection": false, - "dynamic_templates": [ - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "container": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "endgame": { - "dynamic": false, - "properties": { - "data": { - "properties": { - "malware_classification": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "quarantine_result": { - "properties": { - "local_msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "event_subtype_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "stack_trace": { - "doc_values": false, - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "integer" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "original": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - } - } - }, - "message": { - "norms": false, - "type": "text" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "dynamic": false, - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tags": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "keyword": { - "type": "keyword" - }, - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "winlog": { - "properties": { - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "type": "long" - }, - "logon": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "opcode": { - "type": "long" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "type": "long" - } - } - } - } - }, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "mapping": { - "ignore_malformed": true, - "total_fields": { - "limit": 10000 - } - }, - "number_of_shards": 5 - } - } -} diff --git a/salt/elasticsearch/templates/so/so-f5-template.json.jinja b/salt/elasticsearch/templates/so/so-f5-template.json.jinja deleted file mode 100644 index 682a37c59..000000000 --- a/salt/elasticsearch/templates/so/so-f5-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %} -{ - "index_patterns": ["so-f5-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-firewall-template.json.jinja b/salt/elasticsearch/templates/so/so-firewall-template.json.jinja deleted file mode 100644 index 7bc81fd12..000000000 --- a/salt/elasticsearch/templates/so/so-firewall-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %} -{ - "index_patterns": ["so-firewall-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-flow-template.json.jinja b/salt/elasticsearch/templates/so/so-flow-template.json.jinja deleted file mode 100644 index 6c8f2fa9f..000000000 --- a/salt/elasticsearch/templates/so/so-flow-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %} -{ - "index_patterns": ["so-flow-*"], - "version": 50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-fortinet-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/so/so-gcp-template.json.jinja deleted file mode 100644 index 4f1db4f20..000000000 --- a/salt/elasticsearch/templates/so/so-gcp-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %} -{ - "index_patterns": ["so-gcp-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja deleted file mode 100644 index 5ae26780a..000000000 --- a/salt/elasticsearch/templates/so/so-google_workspace-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %} -{ - "index_patterns": ["so-google_workspace-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-ids-template.json.jinja b/salt/elasticsearch/templates/so/so-ids-template.json.jinja deleted file mode 100644 index abf37319a..000000000 --- a/salt/elasticsearch/templates/so/so-ids-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %} -{ - "index_patterns": ["so-ids-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-imperva-template.json.jinja b/salt/elasticsearch/templates/so/so-imperva-template.json.jinja deleted file mode 100644 index 1f574f33a..000000000 --- a/salt/elasticsearch/templates/so/so-imperva-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %} -{ - "index_patterns": ["so-imperva-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-import-template.json.jinja b/salt/elasticsearch/templates/so/so-import-template.json.jinja deleted file mode 100644 index e4d68235d..000000000 --- a/salt/elasticsearch/templates/so/so-import-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %} -{ - "index_patterns": ["so-import-*"], - "version":50001, - "order": 11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja b/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja deleted file mode 100644 index de613de7f..000000000 --- a/salt/elasticsearch/templates/so/so-infoblox-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %} -{ - "index_patterns": ["so-infoblox-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/so/so-juniper-template.json.jinja deleted file mode 100644 index f637271a9..000000000 --- a/salt/elasticsearch/templates/so/so-juniper-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %} -{ - "index_patterns": ["so-juniper-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-kibana-template.json.jinja b/salt/elasticsearch/templates/so/so-kibana-template.json.jinja deleted file mode 100644 index fe2004b0e..000000000 --- a/salt/elasticsearch/templates/so/so-kibana-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %} -{ - "index_patterns": ["so-kibana-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-logstash-template.json.jinja b/salt/elasticsearch/templates/so/so-logstash-template.json.jinja deleted file mode 100644 index 2cf0aba42..000000000 --- a/salt/elasticsearch/templates/so/so-logstash-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %} -{ - "index_patterns": ["so-logstash-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja deleted file mode 100644 index 3493ccbb2..000000000 --- a/salt/elasticsearch/templates/so/so-microsoft-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %} -{ - "index_patterns": ["so-microsoft-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/so/so-misp-template.json.jinja deleted file mode 100644 index 67af1efde..000000000 --- a/salt/elasticsearch/templates/so/so-misp-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %} -{ - "index_patterns": ["so-misp-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-netflow-template.json.jinja b/salt/elasticsearch/templates/so/so-netflow-template.json.jinja deleted file mode 100644 index 62c0972bf..000000000 --- a/salt/elasticsearch/templates/so/so-netflow-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %} -{ - "index_patterns": ["so-netflow-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-netscout-template.json.jinja b/salt/elasticsearch/templates/so/so-netscout-template.json.jinja deleted file mode 100644 index 1dfe336d9..000000000 --- a/salt/elasticsearch/templates/so/so-netscout-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %} -{ - "index_patterns": ["so-netscout-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/so/so-o365-template.json.jinja deleted file mode 100644 index c1f4826f4..000000000 --- a/salt/elasticsearch/templates/so/so-o365-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %} -{ - "index_patterns": ["so-o365-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/so/so-okta-template.json.jinja deleted file mode 100644 index a4f2df44e..000000000 --- a/salt/elasticsearch/templates/so/so-okta-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %} -{ - "index_patterns": ["so-okta-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/so/so-osquery-template.json.jinja deleted file mode 100644 index 47cb3ebab..000000000 --- a/salt/elasticsearch/templates/so/so-osquery-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %} -{ - "index_patterns": ["so-osquery-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/so/so-ossec-template.json.jinja deleted file mode 100644 index ce903e228..000000000 --- a/salt/elasticsearch/templates/so/so-ossec-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %} -{ - "index_patterns": ["so-ossec-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja b/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja deleted file mode 100644 index d7b0ecbe2..000000000 --- a/salt/elasticsearch/templates/so/so-proofpoint-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %} -{ - "index_patterns": ["so-proofpoint-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-radware-template.json.jinja b/salt/elasticsearch/templates/so/so-radware-template.json.jinja deleted file mode 100644 index 4efef6a4f..000000000 --- a/salt/elasticsearch/templates/so/so-radware-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %} -{ - "index_patterns": ["so-radware-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/so/so-redis-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-redis-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-snort-template.json.jinja b/salt/elasticsearch/templates/so/so-snort-template.json.jinja deleted file mode 100644 index 325f86bde..000000000 --- a/salt/elasticsearch/templates/so/so-snort-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %} -{ - "index_patterns": ["so-snort-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/so/so-snyk-template.json.jinja deleted file mode 100644 index 0c2d291cc..000000000 --- a/salt/elasticsearch/templates/so/so-snyk-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %} -{ - "index_patterns": ["so-snyk-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja b/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja deleted file mode 100644 index b912e4d66..000000000 --- a/salt/elasticsearch/templates/so/so-sonicwall-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %} -{ - "index_patterns": ["so-sonicwall-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/so/so-sophos-template.json.jinja deleted file mode 100644 index 689e19999..000000000 --- a/salt/elasticsearch/templates/so/so-sophos-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %} -{ - "index_patterns": ["so-sophos-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-squid-template.json.jinja b/salt/elasticsearch/templates/so/so-squid-template.json.jinja deleted file mode 100644 index 9398b8a99..000000000 --- a/salt/elasticsearch/templates/so/so-squid-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %} -{ - "index_patterns": ["so-squid-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-strelka-template.json.jinja b/salt/elasticsearch/templates/so/so-strelka-template.json.jinja deleted file mode 100644 index 2f7db541a..000000000 --- a/salt/elasticsearch/templates/so/so-strelka-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %} -{ - "index_patterns": ["so-strelka-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/so/so-syslog-template.json.jinja deleted file mode 100644 index 47f8d78e6..000000000 --- a/salt/elasticsearch/templates/so/so-syslog-template.json.jinja +++ /dev/null @@ -1,14 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %} -{ - "index_patterns": ["so-syslog-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} - diff --git a/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja b/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja deleted file mode 100644 index 797e71bcf..000000000 --- a/salt/elasticsearch/templates/so/so-tomcat-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %} -{ - "index_patterns": ["so-tomcat-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-zeek-template.json.jinja b/salt/elasticsearch/templates/so/so-zeek-template.json.jinja deleted file mode 100644 index 616607f52..000000000 --- a/salt/elasticsearch/templates/so/so-zeek-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %} -{ - "index_patterns": ["so-zeek-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja b/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja deleted file mode 100644 index 01d1cab2d..000000000 --- a/salt/elasticsearch/templates/so/so-zscaler-template.json.jinja +++ /dev/null @@ -1,13 +0,0 @@ -{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %} -{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %} -{ - "index_patterns": ["so-zscaler-*"], - "version":50001, - "order":11, - "settings":{ - "number_of_replicas":{{ REPLICAS }}, - "number_of_shards":{{ SHARDS }}, - "index.refresh_interval":"{{ REFRESH }}" - } -} diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index e4e112603..f3bcaa308 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -47,11 +47,24 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then echo fi -cd ${ELASTICSEARCH_TEMPLATES} +cd ${ELASTICSEARCH_TEMPLATES}/component/ecs +echo "Loading ECS component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_component_template/$TEMPLATE-mappings -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +echo -echo "Loading templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +# Load SO-specific component templates +cd ${ELASTICSEARCH_TEMPLATES}/component/so + +echo "Loading Security Onion component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_component_template/$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done +echo + +# Load SO index templates +cd ${ELASTICSEARCH_TEMPLATES}/index + +echo "Loading Security Onion index templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; {{ ELASTICCURL }} -k ${ELASTICSEARCH_AUTH} -s -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_index_template/so-$TEMPLATE -H 'Content-Type: application/json' -d@$i 2>/dev/null; echo; done echo cd - >/dev/null diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 670dcf49e..772a97e17 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-zeek" - template_name => "so-zeek" - template => "/templates/so-zeek-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 1ebaa1082..58a78c08a 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-import" - template_name => "so-import" - template => "/templates/so-import-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index affa32d1a..88fe0d2b7 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-flow" - template_name => "so-flow" - template => "/templates/so-flow-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index ea603b016..5ce7ee343 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ids" - template_name => "so-ids" - template => "/templates/so-ids-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index ab8508bf3..b222ec2e1 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-syslog" - template_name => "so-syslog" - template => "/templates/so-syslog-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index f8a9b25af..ef460d463 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -16,9 +16,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-%{[event][module]}-%{+YYYY.MM.dd}" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index b997ea7be..745ebeb19 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-osquery" - template_name => "so-osquery" - template => "/templates/so-osquery-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja index fce35b5a4..aa4af89fd 100644 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja @@ -37,9 +37,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-osquery" - template_name => "so-osquery" - template => "/templates/so-osquery-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index e82dbb4f8..f6b8d4098 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -14,9 +14,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-firewall" - template_name => "so-firewall" - template => "/templates/so-firewall-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 34e2bab7c..598e9c741 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -15,8 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ids" - template_name => "so-ids" - template => "/templates/so-ids-template.json" ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 869b6d553..03326a320 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -16,9 +16,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-beats" - template_name => "so-beats" - template => "/templates/so-beats-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false document_id => "%{[metadata][_id]}" @@ -32,9 +29,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-beats" - template_name => "so-beats" - template => "/templates/so-beats-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 6e03d8c72..4555fb8bb 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-ossec" - template_name => "so-ossec" - template => "/templates/so-ossec-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 007f1370e..09a677d1f 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -15,9 +15,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-strelka" - template_name => "so-strelka" - template => "/templates/so-strelka-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false } diff --git a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja index 86944d155..8bfa166c4 100644 --- a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja +++ b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja @@ -17,9 +17,6 @@ output { password => "{{ ES_PASS }}" {% endif %} index => "so-logscan" - template_name => "so-common" - template => "/templates/so-common-template.json" - template_overwrite => true ssl => true ssl_certificate_verification => false }