Merge pull request #7070 from Security-Onion-Solutions/feature/composable_templates

Initial composable template configuration and base mappings
2025-12-06 17:22:49 +01:00 · 2022-02-02 10:25:15 -05:00
parent 1bac031975 9db1510b0e
commit 5e9e0d971b
156 changed files with 11007 additions and 4542 deletions
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -55,7 +55,7 @@ elasticsearch:
    indices:
      query:
        bool:
-          max_clause_count: 1500
+          max_clause_count: 3000
      id_field_data:
        enabled: false
    logger:
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -147,11 +147,13 @@ esingestdir:
 estemplatedir:
  file.directory:
-    - name: /opt/so/conf/elasticsearch/templates
+    - name: /opt/so/conf/elasticsearch/templates/index
    - user: 930
    - group: 939
    - makedirs: True
 esrolesdir:
  file.directory:
    - name: /opt/so/conf/elasticsearch/roles
@@ -200,17 +202,24 @@ esyml:
 {% for TEMPLATE in TEMPLATES %}
 es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
  file.managed:
-    - source: salt://elasticsearch/templates/{{TEMPLATE}}
+    - source: salt://elasticsearch/templates/index/{{TEMPLATE}}
    {% if 'jinja' in TEMPLATE.split('.')[-1] %}
-    - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
+    - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
    - template: jinja
    {% else %}
-    - name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}}
+    - name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}}
    {% endif %}
    - user: 930
    - group: 939
 {% endfor %}
 escomponenttemplates:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/templates/component
    - source: salt://elasticsearch/templates/component
    - user: 930
    - group: 939
 esroles:
  file.recurse:
    - source: salt://elasticsearch/roles/
--- a/salt/elasticsearch/templates/component/ecs/agent.json
+++ b/salt/elasticsearch/templates/component/ecs/agent.json
@@ -0,0 +1,44 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "agent": {
          "properties": {
            "build": {
              "properties": {
                "original": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "ephemeral_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/base.json
+++ b/salt/elasticsearch/templates/component/ecs/base.json
@@ -0,0 +1,25 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "labels": {
          "type": "object"
        },
        "message": {
          "type": "match_only_text"
        },
        "tags": {
          "ignore_above": 1024,
          "type": "keyword"
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/client.json
+++ b/salt/elasticsearch/templates/component/ecs/client.json
@@ -0,0 +1,187 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "client": {
          "properties": {
            "address": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "as": {
              "properties": {
                "number": {
                  "type": "long"
                },
                "organization": {
                  "properties": {
                    "name": {
                      "fields": {
                        "text": {
                          "type": "match_only_text"
                        }
                      },
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "bytes": {
              "type": "long"
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "ip": {
              "type": "ip"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "nat": {
              "properties": {
                "ip": {
                  "type": "ip"
                },
                "port": {
                  "type": "long"
                }
              }
            },
            "packets": {
              "type": "long"
            },
            "port": {
              "type": "long"
            },
            "registered_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "subdomain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "top_level_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "user": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "email": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full_name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "group": {
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/cloud.json
+++ b/salt/elasticsearch/templates/component/ecs/cloud.json
@@ -0,0 +1,80 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "cloud": {
          "properties": {
            "account": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "availability_zone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "instance": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "machine": {
              "properties": {
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "project": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "region": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "service": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/container.json
+++ b/salt/elasticsearch/templates/component/ecs/container.json
@@ -0,0 +1,43 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "container": {
          "properties": {
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "image": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "tag": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "labels": {
              "type": "object"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "runtime": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/data_stream.json
+++ b/salt/elasticsearch/templates/component/ecs/data_stream.json
@@ -0,0 +1,25 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "data_stream": {
          "properties": {
            "dataset": {
              "type": "constant_keyword"
            },
            "namespace": {
              "type": "constant_keyword"
            },
            "type": {
              "type": "constant_keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/destination.json
+++ b/salt/elasticsearch/templates/component/ecs/destination.json
@@ -0,0 +1,187 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "destination": {
          "properties": {
            "address": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "as": {
              "properties": {
                "number": {
                  "type": "long"
                },
                "organization": {
                  "properties": {
                    "name": {
                      "fields": {
                        "text": {
                          "type": "match_only_text"
                        }
                      },
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "bytes": {
              "type": "long"
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "ip": {
              "type": "ip"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "nat": {
              "properties": {
                "ip": {
                  "type": "ip"
                },
                "port": {
                  "type": "long"
                }
              }
            },
            "packets": {
              "type": "long"
            },
            "port": {
              "type": "long"
            },
            "registered_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "subdomain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "top_level_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "user": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "email": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full_name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "group": {
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/dll.json
+++ b/salt/elasticsearch/templates/component/ecs/dll.json
@@ -0,0 +1,116 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "dll": {
          "properties": {
            "code_signature": {
              "properties": {
                "digest_algorithm": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "exists": {
                  "type": "boolean"
                },
                "signing_id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "status": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "subject_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "team_id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timestamp": {
                  "type": "date"
                },
                "trusted": {
                  "type": "boolean"
                },
                "valid": {
                  "type": "boolean"
                }
              }
            },
            "hash": {
              "properties": {
                "md5": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha1": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha256": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha512": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ssdeep": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "path": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "pe": {
              "properties": {
                "architecture": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "company": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "description": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "file_version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "imphash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "original_file_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "product": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/dns.json
+++ b/salt/elasticsearch/templates/component/ecs/dns.json
@@ -0,0 +1,91 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "dns": {
          "properties": {
            "answers": {
              "properties": {
                "class": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "data": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ttl": {
                  "type": "long"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              },
              "type": "object"
            },
            "header_flags": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "op_code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "question": {
              "properties": {
                "class": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "registered_domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "subdomain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "top_level_domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "resolved_ip": {
              "type": "ip"
            },
            "response_code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/ecs.json
+++ b/salt/elasticsearch/templates/component/ecs/ecs.json
@@ -0,0 +1,20 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "ecs": {
          "properties": {
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/error.json
+++ b/salt/elasticsearch/templates/component/ecs/error.json
@@ -0,0 +1,39 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "error": {
          "properties": {
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "message": {
              "type": "match_only_text"
            },
            "stack_trace": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "type": "wildcard"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/event.json
+++ b/salt/elasticsearch/templates/component/ecs/event.json
@@ -0,0 +1,112 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "event": {
          "properties": {
            "action": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "agent_id_status": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "created": {
              "type": "date"
            },
            "dataset": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "duration": {
              "type": "long"
            },
            "end": {
              "type": "date"
            },
            "hash": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ingested": {
              "type": "date"
            },
            "kind": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "module": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "original": {
              "doc_values": false,
              "index": false,
              "type": "keyword"
            },
            "outcome": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "reason": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "reference": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "risk_score": {
              "type": "float"
            },
            "risk_score_norm": {
              "type": "float"
            },
            "sequence": {
              "type": "long"
            },
            "severity": {
              "type": "long"
            },
            "start": {
              "type": "date"
            },
            "timezone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "url": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/file.json
+++ b/salt/elasticsearch/templates/component/ecs/file.json
@@ -0,0 +1,424 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "file": {
          "properties": {
            "accessed": {
              "type": "date"
            },
            "attributes": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "code_signature": {
              "properties": {
                "digest_algorithm": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "exists": {
                  "type": "boolean"
                },
                "signing_id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "status": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "subject_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "team_id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timestamp": {
                  "type": "date"
                },
                "trusted": {
                  "type": "boolean"
                },
                "valid": {
                  "type": "boolean"
                }
              }
            },
            "created": {
              "type": "date"
            },
            "ctime": {
              "type": "date"
            },
            "device": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "directory": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "drive_letter": {
              "ignore_above": 1,
              "type": "keyword"
            },
            "elf": {
              "properties": {
                "architecture": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "byte_order": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "cpu_type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "creation_date": {
                  "type": "date"
                },
                "exports": {
                  "type": "flattened"
                },
                "header": {
                  "properties": {
                    "abi_version": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "class": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "data": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "entrypoint": {
                      "type": "long"
                    },
                    "object_version": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "os_abi": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "type": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "version": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "imports": {
                  "type": "flattened"
                },
                "sections": {
                  "properties": {
                    "chi2": {
                      "type": "long"
                    },
                    "entropy": {
                      "type": "long"
                    },
                    "flags": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "physical_offset": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "physical_size": {
                      "type": "long"
                    },
                    "type": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "virtual_address": {
                      "type": "long"
                    },
                    "virtual_size": {
                      "type": "long"
                    }
                  },
                  "type": "nested"
                },
                "segments": {
                  "properties": {
                    "sections": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "type": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  },
                  "type": "nested"
                },
                "shared_libraries": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "telfhash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "extension": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "fork_name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "gid": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "group": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "hash": {
              "properties": {
                "md5": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha1": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha256": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha512": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ssdeep": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "inode": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mime_type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mode": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "mtime": {
              "type": "date"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "owner": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "path": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "pe": {
              "properties": {
                "architecture": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "company": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "description": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "file_version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "imphash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "original_file_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "product": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "size": {
              "type": "long"
            },
            "target_path": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "uid": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "x509": {
              "properties": {
                "alternative_names": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "issuer": {
                  "properties": {
                    "common_name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "country": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "distinguished_name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "locality": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "organization": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "organizational_unit": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "state_or_province": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "not_after": {
                  "type": "date"
                },
                "not_before": {
                  "type": "date"
                },
                "public_key_algorithm": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "public_key_curve": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "public_key_exponent": {
                  "doc_values": false,
                  "index": false,
                  "type": "long"
                },
                "public_key_size": {
                  "type": "long"
                },
                "serial_number": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "signature_algorithm": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "subject": {
                  "properties": {
                    "common_name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "country": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "distinguished_name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "locality": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "organization": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "organizational_unit": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "state_or_province": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "version_number": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/group.json
+++ b/salt/elasticsearch/templates/component/ecs/group.json
@@ -0,0 +1,28 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "group": {
          "properties": {
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/host.json
+++ b/salt/elasticsearch/templates/component/ecs/host.json
@@ -0,0 +1,247 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "host": {
          "properties": {
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "cpu": {
              "properties": {
                "usage": {
                  "scaling_factor": 1000,
                  "type": "scaled_float"
                }
              }
            },
            "disk": {
              "properties": {
                "read": {
                  "properties": {
                    "bytes": {
                      "type": "long"
                    }
                  }
                },
                "write": {
                  "properties": {
                    "bytes": {
                      "type": "long"
                    }
                  }
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "network": {
              "properties": {
                "egress": {
                  "properties": {
                    "bytes": {
                      "type": "long"
                    },
                    "packets": {
                      "type": "long"
                    }
                  }
                },
                "ingress": {
                  "properties": {
                    "bytes": {
                      "type": "long"
                    },
                    "packets": {
                      "type": "long"
                    }
                  }
                }
              }
            },
            "os": {
              "properties": {
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "uptime": {
              "type": "long"
            },
            "user": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "email": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full_name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "group": {
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/http.json
+++ b/salt/elasticsearch/templates/component/ecs/http.json
@@ -0,0 +1,87 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "http": {
          "properties": {
            "request": {
              "properties": {
                "body": {
                  "properties": {
                    "bytes": {
                      "type": "long"
                    },
                    "content": {
                      "fields": {
                        "text": {
                          "type": "match_only_text"
                        }
                      },
                      "type": "wildcard"
                    }
                  }
                },
                "bytes": {
                  "type": "long"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "method": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "mime_type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "referrer": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "response": {
              "properties": {
                "body": {
                  "properties": {
                    "bytes": {
                      "type": "long"
                    },
                    "content": {
                      "fields": {
                        "text": {
                          "type": "match_only_text"
                        }
                      },
                      "type": "wildcard"
                    }
                  }
                },
                "bytes": {
                  "type": "long"
                },
                "mime_type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "status_code": {
                  "type": "long"
                }
              }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/log.json
+++ b/salt/elasticsearch/templates/component/ecs/log.json
@@ -0,0 +1,86 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "log": {
          "properties": {
            "file": {
              "properties": {
                "path": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "level": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "logger": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "origin": {
              "properties": {
                "file": {
                  "properties": {
                    "line": {
                      "type": "integer"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "function": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "original": {
              "doc_values": false,
              "index": false,
              "type": "keyword"
            },
            "syslog": {
              "properties": {
                "facility": {
                  "properties": {
                    "code": {
                      "type": "long"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "priority": {
                  "type": "long"
                },
                "severity": {
                  "properties": {
                    "code": {
                      "type": "long"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              },
              "type": "object"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/network.json
+++ b/salt/elasticsearch/templates/component/ecs/network.json
@@ -0,0 +1,86 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "network": {
          "properties": {
            "application": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "bytes": {
              "type": "long"
            },
            "community_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "direction": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "forwarded_ip": {
              "type": "ip"
            },
            "iana_number": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "inner": {
              "properties": {
                "vlan": {
                  "properties": {
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              },
              "type": "object"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "packets": {
              "type": "long"
            },
            "protocol": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "transport": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "vlan": {
              "properties": {
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/observer.json
+++ b/salt/elasticsearch/templates/component/ecs/observer.json
@@ -0,0 +1,214 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "observer": {
          "properties": {
            "egress": {
              "properties": {
                "interface": {
                  "properties": {
                    "alias": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "vlan": {
                  "properties": {
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "zone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              },
              "type": "object"
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ingress": {
              "properties": {
                "interface": {
                  "properties": {
                    "alias": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "vlan": {
                  "properties": {
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "zone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              },
              "type": "object"
            },
            "ip": {
              "type": "ip"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "product": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "serial_number": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "vendor": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/orchestrator.json
+++ b/salt/elasticsearch/templates/component/ecs/orchestrator.json
@@ -0,0 +1,60 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "orchestrator": {
          "properties": {
            "api_version": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "cluster": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "url": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "namespace": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "organization": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "resource": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/organization.json
+++ b/salt/elasticsearch/templates/component/ecs/organization.json
@@ -0,0 +1,29 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "organization": {
          "properties": {
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/package.json
+++ b/salt/elasticsearch/templates/component/ecs/package.json
@@ -0,0 +1,66 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "package": {
          "properties": {
            "architecture": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "build_version": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "checksum": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "description": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "install_scope": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "installed": {
              "type": "date"
            },
            "license": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "path": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "reference": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "size": {
              "type": "long"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/process.json
+++ b/salt/elasticsearch/templates/component/ecs/process.json
@@ -0,0 +1,612 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "process": {
          "properties": {
            "args": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "args_count": {
              "type": "long"
            },
            "code_signature": {
              "properties": {
                "digest_algorithm": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "exists": {
                  "type": "boolean"
                },
                "signing_id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "status": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "subject_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "team_id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timestamp": {
                  "type": "date"
                },
                "trusted": {
                  "type": "boolean"
                },
                "valid": {
                  "type": "boolean"
                }
              }
            },
            "command_line": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "type": "wildcard"
            },
            "elf": {
              "properties": {
                "architecture": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "byte_order": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "cpu_type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "creation_date": {
                  "type": "date"
                },
                "exports": {
                  "type": "flattened"
                },
                "header": {
                  "properties": {
                    "abi_version": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "class": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "data": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "entrypoint": {
                      "type": "long"
                    },
                    "object_version": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "os_abi": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "type": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "version": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "imports": {
                  "type": "flattened"
                },
                "sections": {
                  "properties": {
                    "chi2": {
                      "type": "long"
                    },
                    "entropy": {
                      "type": "long"
                    },
                    "flags": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "physical_offset": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "physical_size": {
                      "type": "long"
                    },
                    "type": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "virtual_address": {
                      "type": "long"
                    },
                    "virtual_size": {
                      "type": "long"
                    }
                  },
                  "type": "nested"
                },
                "segments": {
                  "properties": {
                    "sections": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "type": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  },
                  "type": "nested"
                },
                "shared_libraries": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "telfhash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "end": {
              "type": "date"
            },
            "entity_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "executable": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "exit_code": {
              "type": "long"
            },
            "hash": {
              "properties": {
                "md5": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha1": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha256": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "sha512": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ssdeep": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "parent": {
              "properties": {
                "args": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "args_count": {
                  "type": "long"
                },
                "code_signature": {
                  "properties": {
                    "digest_algorithm": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "exists": {
                      "type": "boolean"
                    },
                    "signing_id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "status": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "subject_name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "team_id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "timestamp": {
                      "type": "date"
                    },
                    "trusted": {
                      "type": "boolean"
                    },
                    "valid": {
                      "type": "boolean"
                    }
                  }
                },
                "command_line": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "type": "wildcard"
                },
                "elf": {
                  "properties": {
                    "architecture": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "byte_order": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "cpu_type": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "creation_date": {
                      "type": "date"
                    },
                    "exports": {
                      "type": "flattened"
                    },
                    "header": {
                      "properties": {
                        "abi_version": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "class": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "data": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "entrypoint": {
                          "type": "long"
                        },
                        "object_version": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "os_abi": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "type": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "version": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        }
                      }
                    },
                    "imports": {
                      "type": "flattened"
                    },
                    "sections": {
                      "properties": {
                        "chi2": {
                          "type": "long"
                        },
                        "entropy": {
                          "type": "long"
                        },
                        "flags": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "physical_offset": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "physical_size": {
                          "type": "long"
                        },
                        "type": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "virtual_address": {
                          "type": "long"
                        },
                        "virtual_size": {
                          "type": "long"
                        }
                      },
                      "type": "nested"
                    },
                    "segments": {
                      "properties": {
                        "sections": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "type": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        }
                      },
                      "type": "nested"
                    },
                    "shared_libraries": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "telfhash": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "end": {
                  "type": "date"
                },
                "entity_id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "executable": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "exit_code": {
                  "type": "long"
                },
                "hash": {
                  "properties": {
                    "md5": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "sha1": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "sha256": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "sha512": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "ssdeep": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "pe": {
                  "properties": {
                    "architecture": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "company": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "description": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "file_version": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "imphash": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "original_file_name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "product": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "pgid": {
                  "type": "long"
                },
                "pid": {
                  "type": "long"
                },
                "ppid": {
                  "type": "long"
                },
                "start": {
                  "type": "date"
                },
                "thread": {
                  "properties": {
                    "id": {
                      "type": "long"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "title": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "uptime": {
                  "type": "long"
                },
                "working_directory": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "pe": {
              "properties": {
                "architecture": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "company": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "description": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "file_version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "imphash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "original_file_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "product": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "pgid": {
              "type": "long"
            },
            "pid": {
              "type": "long"
            },
            "ppid": {
              "type": "long"
            },
            "start": {
              "type": "date"
            },
            "thread": {
              "properties": {
                "id": {
                  "type": "long"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "title": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "uptime": {
              "type": "long"
            },
            "working_directory": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/registry.json
+++ b/salt/elasticsearch/templates/component/ecs/registry.json
@@ -0,0 +1,47 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "registry": {
          "properties": {
            "data": {
              "properties": {
                "bytes": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "strings": {
                  "type": "wildcard"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "hive": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "key": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "path": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "value": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/related.json
+++ b/salt/elasticsearch/templates/component/ecs/related.json
@@ -0,0 +1,31 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "related": {
          "properties": {
            "hash": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "hosts": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "user": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/rule.json
+++ b/salt/elasticsearch/templates/component/ecs/rule.json
@@ -0,0 +1,56 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "rule": {
          "properties": {
            "author": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "description": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "license": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "reference": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ruleset": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "uuid": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/server.json
+++ b/salt/elasticsearch/templates/component/ecs/server.json
@@ -0,0 +1,187 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "server": {
          "properties": {
            "address": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "as": {
              "properties": {
                "number": {
                  "type": "long"
                },
                "organization": {
                  "properties": {
                    "name": {
                      "fields": {
                        "text": {
                          "type": "match_only_text"
                        }
                      },
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "bytes": {
              "type": "long"
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "ip": {
              "type": "ip"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "nat": {
              "properties": {
                "ip": {
                  "type": "ip"
                },
                "port": {
                  "type": "long"
                }
              }
            },
            "packets": {
              "type": "long"
            },
            "port": {
              "type": "long"
            },
            "registered_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "subdomain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "top_level_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "user": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "email": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full_name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "group": {
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/service.json
+++ b/salt/elasticsearch/templates/component/ecs/service.json
@@ -0,0 +1,56 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "service": {
          "properties": {
            "address": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "environment": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ephemeral_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "node": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "state": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/source.json
+++ b/salt/elasticsearch/templates/component/ecs/source.json
@@ -0,0 +1,187 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "source": {
          "properties": {
            "address": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "as": {
              "properties": {
                "number": {
                  "type": "long"
                },
                "organization": {
                  "properties": {
                    "name": {
                      "fields": {
                        "text": {
                          "type": "match_only_text"
                        }
                      },
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "bytes": {
              "type": "long"
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "ip": {
              "type": "ip"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "nat": {
              "properties": {
                "ip": {
                  "type": "ip"
                },
                "port": {
                  "type": "long"
                }
              }
            },
            "packets": {
              "type": "long"
            },
            "port": {
              "type": "long"
            },
            "registered_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "subdomain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "top_level_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "user": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "email": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full_name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "group": {
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/threat.json
+++ b/salt/elasticsearch/templates/component/ecs/threat.json
--- a/salt/elasticsearch/templates/component/ecs/tls.json
+++ b/salt/elasticsearch/templates/component/ecs/tls.json
@@ -0,0 +1,354 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "tls": {
          "properties": {
            "cipher": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "client": {
              "properties": {
                "certificate": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "certificate_chain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "hash": {
                  "properties": {
                    "md5": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "sha1": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "sha256": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "issuer": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ja3": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "not_after": {
                  "type": "date"
                },
                "not_before": {
                  "type": "date"
                },
                "server_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "subject": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "supported_ciphers": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "x509": {
                  "properties": {
                    "alternative_names": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "issuer": {
                      "properties": {
                        "common_name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "country": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "distinguished_name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "locality": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "organization": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "organizational_unit": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "state_or_province": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        }
                      }
                    },
                    "not_after": {
                      "type": "date"
                    },
                    "not_before": {
                      "type": "date"
                    },
                    "public_key_algorithm": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "public_key_curve": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "public_key_exponent": {
                      "doc_values": false,
                      "index": false,
                      "type": "long"
                    },
                    "public_key_size": {
                      "type": "long"
                    },
                    "serial_number": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "signature_algorithm": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "subject": {
                      "properties": {
                        "common_name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "country": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "distinguished_name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "locality": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "organization": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "organizational_unit": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "state_or_province": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        }
                      }
                    },
                    "version_number": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "curve": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "established": {
              "type": "boolean"
            },
            "next_protocol": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "resumed": {
              "type": "boolean"
            },
            "server": {
              "properties": {
                "certificate": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "certificate_chain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "hash": {
                  "properties": {
                    "md5": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "sha1": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "sha256": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "issuer": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "ja3s": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "not_after": {
                  "type": "date"
                },
                "not_before": {
                  "type": "date"
                },
                "subject": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "x509": {
                  "properties": {
                    "alternative_names": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "issuer": {
                      "properties": {
                        "common_name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "country": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "distinguished_name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "locality": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "organization": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "organizational_unit": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "state_or_province": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        }
                      }
                    },
                    "not_after": {
                      "type": "date"
                    },
                    "not_before": {
                      "type": "date"
                    },
                    "public_key_algorithm": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "public_key_curve": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "public_key_exponent": {
                      "doc_values": false,
                      "index": false,
                      "type": "long"
                    },
                    "public_key_size": {
                      "type": "long"
                    },
                    "serial_number": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "signature_algorithm": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "subject": {
                      "properties": {
                        "common_name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "country": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "distinguished_name": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "locality": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "organization": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "organizational_unit": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        },
                        "state_or_province": {
                          "ignore_above": 1024,
                          "type": "keyword"
                        }
                      }
                    },
                    "version_number": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version_protocol": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/tracing.json
+++ b/salt/elasticsearch/templates/component/ecs/tracing.json
@@ -0,0 +1,36 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "span": {
          "properties": {
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "trace": {
          "properties": {
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        },
        "transaction": {
          "properties": {
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/url.json
+++ b/salt/elasticsearch/templates/component/ecs/url.json
@@ -0,0 +1,78 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "url": {
          "properties": {
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "extension": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "fragment": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "full": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "type": "wildcard"
            },
            "original": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "type": "wildcard"
            },
            "password": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "path": {
              "type": "wildcard"
            },
            "port": {
              "type": "long"
            },
            "query": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "registered_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "scheme": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "subdomain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "top_level_domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "username": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/user.json
+++ b/salt/elasticsearch/templates/component/ecs/user.json
@@ -0,0 +1,244 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "user": {
          "properties": {
            "changes": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "email": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full_name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "group": {
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "domain": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "effective": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "email": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full_name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "group": {
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "email": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "full_name": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "group": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "hash": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "roles": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "target": {
              "properties": {
                "domain": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "email": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full_name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "group": {
                  "properties": {
                    "domain": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "hash": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "id": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "roles": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/user_agent.json
+++ b/salt/elasticsearch/templates/component/ecs/user_agent.json
@@ -0,0 +1,83 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "user_agent": {
          "properties": {
            "device": {
              "properties": {
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "original": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "os": {
              "properties": {
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/ecs/vulnerability.json
+++ b/salt/elasticsearch/templates/component/ecs/vulnerability.json
@@ -0,0 +1,78 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "vulnerability": {
          "properties": {
            "category": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "classification": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "description": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "ignore_above": 1024,
              "type": "keyword"
            },
            "enumeration": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "reference": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "report_id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "scanner": {
              "properties": {
                "vendor": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "score": {
              "properties": {
                "base": {
                  "type": "float"
                },
                "environmental": {
                  "type": "float"
                },
                "temporal": {
                  "type": "float"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "severity": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/so/case-mappings.json
+++ b/salt/elasticsearch/templates/component/so/case-mappings.json
@@ -0,0 +1,213 @@
    {
        "template": {
          "mappings": {
            "properties": {
              "so_audit_doc_id": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "so_related": {
                "properties": {
                  "createTime": {
                    "type": "date"
                  },
                  "caseId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "fields": {
                    "eager_global_ordinals": false,
                    "ignore_above": 1024,
                    "index": true,
                    "type": "flattened",
                    "index_options": "docs",
                    "split_queries_on_whitespace": false,
                    "doc_values": true
                  },
                  "userId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "@timestamp": {
                "type": "date"
              },
              "so_artifactstream": {
                "properties": {
                  "createTime": {
                    "type": "date"
                  },
                  "userId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "content": {
                    "type": "text"
                  }
                }
              },
              "so_comment": {
                "properties": {
                  "createTime": {
                    "type": "date"
                  },
                  "caseId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "description": {
                    "type": "text"
                  },
                  "userId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "so_kind": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "so_operation": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "so_case": {
                "properties": {
                  "severity": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "template": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "completeTime": {
                    "type": "date"
                  },
                  "description": {
                    "type": "text"
                  },
                  "priority": {
                    "type": "long"
                  },
                  "title": {
                    "type": "text"
                  },
                  "assigneeId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "userId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "tags": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "createTime": {
                    "type": "date"
                  },
                  "tlp": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "startTime": {
                    "type": "date"
                  },
                  "category": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "pap": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "status": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              },
              "so_artifact": {
                "properties": {
                  "artifactType": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "groupType": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "sha256": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "streamId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "groupId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "streamLength": {
                    "type": "long"
                  },
                  "description": {
                    "type": "text"
                  },
                  "mimeType": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "userId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "tags": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "sha1": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "createTime": {
                    "type": "date"
                  },
                  "caseId": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "tlp": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "ioc": {
                    "type": "boolean"
                  },
                  "value": {
                    "type": "text",
                    "fields": {
                      "keyword": {
                        "ignore_above": 1024,
                        "type": "keyword"
                      }
                    }
                  },
                  "md5": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  }
                }
              }
            }
          }
        },
        "_meta": {
          "ecs_version": "1.12.2"
        }
 }
--- a/salt/elasticsearch/templates/component/so/case-settings.json
+++ b/salt/elasticsearch/templates/component/so/case-settings.json
@@ -0,0 +1,65 @@
 {
        "template": {
          "settings": {
            "index": {
              "routing": {
                "allocation": {
                  "require": {
                    "box_type": "hot"
                  }
                }
              },
              "mapping": {
                "total_fields": {
                  "limit": "3000"
                }
              },
              "refresh_interval": "30s",
              "analysis": {
                "filter": {
                  "path_hierarchy_pattern_filter": {
                    "type": "pattern_capture",
                    "preserve_original": "true",
                    "patterns": [
                      "((?:[^\\\\]*\\\\)*)(.*)",
                      "((?:[^/]*/)*)(.*)"
                    ]
                  }
                },
                "char_filter": {
                  "whitespace_no_way": {
                    "pattern": "(\\s)+",
                    "type": "pattern_replace",
                    "replacement": "$1"
                  }
                },
                "analyzer": {
                  "es_security_analyzer": {
                    "filter": [
                      "lowercase",
                      "trim"
                    ],
                    "char_filter": [
                      "whitespace_no_way"
                    ],
                    "type": "custom",
                    "tokenizer": "keyword"
                  }
                },
                "tokenizer": {
                  "path_tokenizer": {
                    "type": "path_hierarchy",
                    "delimiter": "\\"
                  }
                }
              },
              "number_of_shards": "1",
              "number_of_replicas": "0"
            }
          }
        },
        "version": 1,
        "_meta": {
          "description": "default settings for common Security Onion Cases indices"
        }
 }
--- a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json
+++ b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json
@@ -0,0 +1,56 @@
 {
 	"template": {
          "mappings": {
            "dynamic_templates": [
              {
                "ip_address": {
                  "path_match": "*.ip",
                  "mapping": {
                    "type": "ip",
                    "fields": {
                      "keyword": {
                        "ignore_above": 45,
                        "type": "keyword"
                      }
                    }
                  },
                  "match_mapping_type": "string"
                }
              },
              {
                "port": {
                  "path_match": "*.port",
                  "path_unmatch": "*.data.port",
                  "mapping": {
                    "type": "integer",
                    "fields": {
                      "keyword": {
                        "ignore_above": 6,
                        "type": "keyword"
                      }
                    }
                  }
                }
              },
              {
                "strings": {
                  "mapping": {
                    "type": "text",
                    "fields": {
                      "security": {
                        "analyzer": "es_security_analyzer",
                        "type": "text"
                      },
                      "keyword": {
                        "ignore_above": 32765,
                        "type": "keyword"
                      }
                    }
                  },
                  "match_mapping_type": "string"
                }
              }
            ]
          }
        }
 }
--- a/salt/elasticsearch/templates/component/so/common-settings.json
+++ b/salt/elasticsearch/templates/component/so/common-settings.json
@@ -0,0 +1,65 @@
 {
 	"template": {
          "settings": {
            "index": {
              "routing": {
                "allocation": {
                  "require": {
                    "box_type": "hot"
                  }
                }
              },
              "mapping": {
                "total_fields": {
                  "limit": "3000"
                }
              },
              "refresh_interval": "30s",
              "analysis": {
                "filter": {
                  "path_hierarchy_pattern_filter": {
                    "type": "pattern_capture",
                    "preserve_original": "true",
                    "patterns": [
                      "((?:[^\\\\]*\\\\)*)(.*)",
                      "((?:[^/]*/)*)(.*)"
                    ]
                  }
                },
                "char_filter": {
                  "whitespace_no_way": {
                    "pattern": "(\\s)+",
                    "type": "pattern_replace",
                    "replacement": "$1"
                  }
                },
                "analyzer": {
                  "es_security_analyzer": {
                    "filter": [
                      "lowercase",
                      "trim"
                    ],
                    "char_filter": [
                      "whitespace_no_way"
                    ],
                    "type": "custom",
                    "tokenizer": "keyword"
                  }
                },
                "tokenizer": {
                  "path_tokenizer": {
                    "type": "path_hierarchy",
                    "delimiter": "\\"
                  }
                }
              },
              "number_of_shards": "1",
              "number_of_replicas": "0"
            }
          }
        },
        "version": 1,
        "_meta": {
          "description": "default settings for common Security Onion indices"
        }
 }
--- a/salt/elasticsearch/templates/component/so/dtc-event-mappings
+++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings
@@ -0,0 +1,127 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "event": {
          "properties": {
            "action": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "agent_id_status": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "category": {
              "ignore_above": 1024,
              "type": "keyword",
              "fields": {
                "keyword": {
                  "type": "keyword"
                }
              }
            },
            "code": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "created": {
              "type": "date"
            },
            "dataset": {
              "ignore_above": 1024,
              "type": "keyword",
              "fields": {
                "keyword": {
 		  "type": "keyword"
 		}
              }
            },
            "duration": {
              "type": "long"
            },
            "end": {
              "type": "date"
            },
            "hash": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "id": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ingested": {
              "type": "date"
            },
            "kind": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "module": {
              "ignore_above": 1024,
              "type": "keyword",
 	      "fields": {
                "keyword": {
                  "type": "keyword"
                }
              }
            },
            "original": {
              "doc_values": false,
              "index": false,
              "type": "keyword"
            },
            "outcome": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "provider": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "reason": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "reference": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "risk_score": {
              "type": "float"
            },
            "risk_score_norm": {
              "type": "float"
            },
            "sequence": {
              "type": "long"
            },
            "severity": {
              "type": "long"
            },
            "start": {
              "type": "date"
            },
            "timezone": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "url": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/component/so/dtc-observer-mappings
+++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings
@@ -0,0 +1,219 @@
 {
  "_meta": {
    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
    "ecs_version": "1.12.2"
  },
  "template": {
    "mappings": {
      "properties": {
        "observer": {
          "properties": {
            "egress": {
              "properties": {
                "interface": {
                  "properties": {
                    "alias": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "vlan": {
                  "properties": {
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "zone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              },
              "type": "object"
            },
            "geo": {
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "hostname": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "ingress": {
              "properties": {
                "interface": {
                  "properties": {
                    "alias": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "vlan": {
                  "properties": {
                    "id": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    },
                    "name": {
                      "ignore_above": 1024,
                      "type": "keyword"
                    }
                  }
                },
                "zone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              },
              "type": "object"
            },
            "ip": {
              "type": "ip"
            },
            "mac": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "name": {
              "ignore_above": 1024,
              "type": "keyword",
 	      "fields": {
                "keyword": {
                  "type": "keyword"
                }
              }
            },
            "os": {
              "properties": {
                "family": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "full": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "kernel": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  },
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "platform": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "type": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "version": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },
            "product": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "serial_number": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "type": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "vendor": {
              "ignore_above": 1024,
              "type": "keyword"
            },
            "version": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/index/custom/place_custom_template_in_local
+++ b/salt/elasticsearch/templates/index/custom/place_custom_template_in_local
--- a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-aws:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-aws:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-aws*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-azure:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-azure:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-azure*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-barracuda*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-beats:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-beats:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-beats*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-bluecoat*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-case-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-case-template.json.jinja
@@ -0,0 +1,53 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-case:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-case:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-case:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-case:field_limit', 2000) %}
 {
        "index_patterns": [
          "so-case*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "case-mappings",
          "case-settings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes Cases fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cef:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cef:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-cef*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-checkpoint*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja
@@ -0,0 +1,90 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cisco:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cisco:field_limit', 3000) %}
 {
  "index_templates": [
    {
          "so-cisco*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-common-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-common-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-common:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-common:priority', 1) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-common:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "sort.field": "@timestamp",
              "sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-cyberark*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cylance:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cylance:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-cylance*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-elasticsearch*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-endgame:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-endgame:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-endgame:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-endgame*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-f5-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-f5:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-f5:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-f5*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-firewall:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-firewall:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-firewall*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-flow-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-flow:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-flow:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-flow*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-fortinet*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-gcp:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-gcp:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-gcp*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-google_workspace*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-ids-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ids:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ids:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-ids*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-imperva:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-imperva:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-imperva*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-import-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-import-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-import:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-import:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-import*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-infoblox*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-juniper:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-juniper:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-juniper*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-kibana:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-kibana:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-kibana*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-logstash:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-logstash:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-logstash*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-microsoft*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-misp:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-misp:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-misp*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netflow:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netflow:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-netflow*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netscout:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netscout:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-netscout*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-o365:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-o365:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-o365*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-okta:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-okta:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-okta*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-osquery:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-osquery:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-osquery*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ossec:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ossec:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-ossec*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-proofpoint*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-radware-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-radware:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-radware:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-radware*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-redis:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-redis:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-redis:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-redis:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-redis*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-snort-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snort:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snort:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-snort*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snyk:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snyk:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-snyk*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja
@@ -0,0 +1,89 @@
 i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-sonicwall*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sophos:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sophos:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-sophos*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-squid-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-squid:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-squid:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-squid*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-strelka:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-strelka:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-strelka*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-syslog:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-syslog:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-syslog*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-tomcat*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zeek:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zeek:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-zeek*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja
@@ -0,0 +1,89 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %}
 {%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:priority', 500) %}
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:field_limit', 3000) %}
 {
        "index_patterns": [
          "so-zscaler*"
        ],
        "template": {
          "mappings": {
            "dynamic_templates": [
              {
                "strings_as_keyword": {
                  "mapping": {
                    "ignore_above": 1024,
                    "type": "keyword"
                  },
                  "match_mapping_type": "string"
                }
              }
            ],
            "date_detection": false
          },
          "settings": {
            "index": {
              "mapping": {
                "total_fields": {
                  "limit": {{ FIELD_LIMIT }}
                }
              },
 	      {%- if INDEX_SORTING is sameas true %}
    	      "index.sort.field": "@timestamp",
              "index.sort.order": "desc",
              {%- endif %}
              "refresh_interval": "{{ REFRESH }}",
              "number_of_shards": {{ SHARDS }},
    	      "number_of_replicas": {{ REPLICAS }}
            }
          }
        },
        "composed_of": [
          "agent-mappings",
          "base-mappings",
          "client-mappings",
          "cloud-mappings",
          "container-mappings",
          "data_stream-mappings",
          "destination-mappings",
          "dll-mappings",
          "dns-mappings",
          "ecs-mappings",
          "error-mappings",
          "dtc-event-mappings",
          "file-mappings",
          "group-mappings",
          "host-mappings",
          "http-mappings",
          "log-mappings",
          "network-mappings",
          "dtc-observer-mappings",
          "orchestrator-mappings",
          "organization-mappings",
          "package-mappings",
          "process-mappings",
          "registry-mappings",
          "related-mappings",
          "rule-mappings",
          "server-mappings",
          "service-mappings",
          "source-mappings",
          "threat-mappings",
          "tls-mappings",
          "tracing-mappings",
          "url-mappings",
          "user_agent-mappings",
          "user-mappings",
          "vulnerability-mappings",
          "common-settings",
          "common-dynamic-mappings"
        ],
        "priority": {{ PRIORITY }},
        "_meta": {
          "description": "Composable template that includes SO base fields",
          "ecs_version": "1.12"
        }
      }
    }
--- a/salt/elasticsearch/templates/so/so-aws-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-aws-template.json.jinja
@@ -1,13 +0,0 @@
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %}
 {
  "index_patterns": ["so-aws-*"],
  "version":50001,
  "order":11,
  "settings":{
    "number_of_replicas":{{ REPLICAS }},
    "number_of_shards":{{ SHARDS }},
    "index.refresh_interval":"{{ REFRESH }}"
  }
 }
--- a/salt/elasticsearch/templates/so/so-azure-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-azure-template.json.jinja
@@ -1,13 +0,0 @@
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %}
 {
  "index_patterns": ["so-azure-*"],
  "version":50001,
  "order":11,
  "settings":{
    "number_of_replicas":{{ REPLICAS }},
    "number_of_shards":{{ SHARDS }},
    "index.refresh_interval":"{{ REFRESH }}"
  }
 }
--- a/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-barracuda-template.json.jinja
@@ -1,13 +0,0 @@
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %}
 {
  "index_patterns": ["so-barracuda-*"],
  "version":50001,
  "order":11,
  "settings":{
    "number_of_replicas":{{ REPLICAS }},
    "number_of_shards":{{ SHARDS }},
    "index.refresh_interval":"{{ REFRESH }}"
  }
 }
--- a/salt/elasticsearch/templates/so/so-beats-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-beats-template.json.jinja
@@ -1,13 +0,0 @@
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %}
 {
  "index_patterns": ["so-beats-*"],
  "version": 50001,
  "order": 11,
  "settings":{
    "number_of_replicas":{{ REPLICAS }},
    "number_of_shards":{{ SHARDS }},
    "index.refresh_interval":"{{ REFRESH }}"
  }
 }
--- a/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja
@@ -1,13 +0,0 @@
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %}
 {
  "index_patterns": ["so-bluecoat-*"],
  "version":50001,
  "order":11,
  "settings":{
    "number_of_replicas":{{ REPLICAS }},
    "number_of_shards":{{ SHARDS }},
    "index.refresh_interval":"{{ REFRESH }}"
  }
 }
--- a/salt/elasticsearch/templates/so/so-case-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-case-template.json.jinja
@@ -1,226 +0,0 @@
 {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %}
 {
  "index_patterns": ["so-case*"],
  "version":50001,
  "order":11,
  "settings":{
    "number_of_replicas":{{ REPLICAS }},
    "number_of_shards":1,
    "index.refresh_interval":"{{ REFRESH }}",
    "index.routing.allocation.require.box_type":"hot",
    "index.mapping.total_fields.limit": "1500"
  },
  "mappings": {
    "_meta": {
      "version": "1.5.0"
    },
    "dynamic": false,
    "date_detection": false,
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "so_kind": {
        "type": "keyword",
        "ignore_above": 1024
      },
      "so_operation": {
        "type": "keyword",
        "ignore_above": 1024
      },      
      "so_audit_doc_id": {
        "type": "keyword",
        "ignore_above": 1024
      },
      "so_artifact": {
        "properties": {
          "artifactType": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "caseId": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "createTime": {
            "type": "date"
          },
          "description": {
            "type": "text"
          },
          "groupId": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "groupType": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "ioc": {
            "type": "boolean"
          },
          "md5": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "mimeType": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "sha1": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "sha256": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "streamId": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "streamLength": {
            "type": "long"
          },
          "tags": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "tlp": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "userId": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "value": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 1024
              }
            }
          }
        }
      },
      "so_artifactstream": {
        "properties": {
          "content": {
            "type": "text"
          },
          "createTime": {
            "type": "date"
          },
          "userId": {
            "type": "keyword",
            "ignore_above": 1024
          }
        }
      },
      "so_case": {
        "properties": {
          "assigneeId": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "category": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "completeTime": {
            "type": "date"
          },
          "createTime": {
            "type": "date"
          },
          "description": {
            "type": "text"
          },
          "pap": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "priority": {
            "type": "long"
          },
          "severity": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "startTime": {
            "type": "date"
          },
          "status": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "tags": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "template": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "title": {
            "type": "text"
          },
          "tlp": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "userId": {
            "type": "keyword",
            "ignore_above": 1024
          }
        }
      },
      "so_comment": {
        "properties": {
          "caseId": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "createTime": {
            "type": "date"
          },
          "description": {
            "type": "text"
          },
          "userId": {
            "type": "keyword",
            "ignore_above": 1024
          }
        }
      },
      "so_related": {
        "properties": {
          "caseId": {
            "type": "keyword",
            "ignore_above": 1024
          },
          "createTime": {
            "type": "date"
          },
          "fields": {
            "eager_global_ordinals": false,
            "ignore_above": 1024,
            "index": true,
            "type": "flattened",
            "index_options": "docs",
            "split_queries_on_whitespace": false,
            "doc_values": true
          },
          "userId": {
            "type": "keyword",
            "ignore_above": 1024
          }
        }
      }
    }
  }
 }
--- a/salt/elasticsearch/templates/so/so-cef-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-cef-template.json.jinja
@@ -1,13 +0,0 @@
 {%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %}
 {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
 {%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %}
 {
  "index_patterns": ["so-cef-*"],
  "version":50001,
  "order":11,
  "settings":{
    "number_of_replicas":{{ REPLICAS }},
    "number_of_shards":{{ SHARDS }},
    "index.refresh_interval":"{{ REFRESH }}"
  }
 }
--- a/Show More
+++ b/Show More