CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7070 from Security-Onion-Solutions/feature/composable_templates

Browse Source 
Initial composable template configuration and base mappings
This commit is contained in:
weslambert
2022-02-02 10:25:15 -05:00
committed by GitHub
parent 1bac031975 9db1510b0e
commit 5e9e0d971b
156 changed files with 11007 additions and 4542 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/elasticsearch/defaults.yaml
View File

@@ -55,7 +55,7 @@ elasticsearch:
indices:
query:
bool:
max_clause_count: 1500
max_clause_count: 3000
id_field_data:
enabled: false
logger:

17
salt/elasticsearch/init.sls
View File

@@ -147,11 +147,13 @@ esingestdir:
estemplatedir:
file.directory:
- name: /opt/so/conf/elasticsearch/templates
- name: /opt/so/conf/elasticsearch/templates/index
- user: 930
- group: 939
- makedirs: True
esrolesdir:
file.directory:
- name: /opt/so/conf/elasticsearch/roles
@@ -200,17 +202,24 @@ esyml:
{% for TEMPLATE in TEMPLATES %}
es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}:
file.managed:
- source: salt://elasticsearch/templates/{{TEMPLATE}}
- source: salt://elasticsearch/templates/index/{{TEMPLATE}}
{% if 'jinja' in TEMPLATE.split('.')[-1] %}
- name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
- name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1] | replace(".jinja", "")}}
- template: jinja
{% else %}
- name: /opt/so/conf/elasticsearch/templates/{{TEMPLATE.split('/')[1]}}
- name: /opt/so/conf/elasticsearch/templates/index/{{TEMPLATE.split('/')[1]}}
{% endif %}
- user: 930
- group: 939
{% endfor %}
escomponenttemplates:
file.recurse:
- name: /opt/so/conf/elasticsearch/templates/component
- source: salt://elasticsearch/templates/component
- user: 930
- group: 939
esroles:
file.recurse:
- source: salt://elasticsearch/roles/

44
salt/elasticsearch/templates/component/ecs/agent.json Normal file
View File

@@ -0,0 +1,44 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-agent.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"agent": {
"properties": {
"build": {
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

25
salt/elasticsearch/templates/component/ecs/base.json Normal file
View File

@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"labels": {
"type": "object"
},
"message": {
"type": "match_only_text"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}

187
salt/elasticsearch/templates/component/ecs/client.json Normal file
View File

@@ -0,0 +1,187 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"client": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

80
salt/elasticsearch/templates/component/ecs/cloud.json Normal file
View File

@@ -0,0 +1,80 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-cloud.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"cloud": {
"properties": {
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"instance": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"project": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

43
salt/elasticsearch/templates/component/ecs/container.json Normal file
View File

@@ -0,0 +1,43 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-container.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"container": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"labels": {
"type": "object"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"runtime": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

25
salt/elasticsearch/templates/component/ecs/data_stream.json Normal file
View File

@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-data_stream.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"data_stream": {
"properties": {
"dataset": {
"type": "constant_keyword"
},
"namespace": {
"type": "constant_keyword"
},
"type": {
"type": "constant_keyword"
}
}
}
}
}
}
}

187
salt/elasticsearch/templates/component/ecs/destination.json Normal file
View File

@@ -0,0 +1,187 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"destination": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

116
salt/elasticsearch/templates/component/ecs/dll.json Normal file
View File

@@ -0,0 +1,116 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dll.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"dll": {
"properties": {
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

91
salt/elasticsearch/templates/component/ecs/dns.json Normal file
View File

@@ -0,0 +1,91 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"dns": {
"properties": {
"answers": {
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"header_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"op_code": {
"ignore_above": 1024,
"type": "keyword"
},
"question": {
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"resolved_ip": {
"type": "ip"
},
"response_code": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

20
salt/elasticsearch/templates/component/ecs/ecs.json Normal file
View File

@@ -0,0 +1,20 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-ecs.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

39
salt/elasticsearch/templates/component/ecs/error.json Normal file
View File

@@ -0,0 +1,39 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-error.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"error": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"message": {
"type": "match_only_text"
},
"stack_trace": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

112
salt/elasticsearch/templates/component/ecs/event.json Normal file
View File

@@ -0,0 +1,112 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"end": {
"type": "date"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk_score_norm": {
"type": "float"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"start": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

424
salt/elasticsearch/templates/component/ecs/file.json Normal file
View File

@@ -0,0 +1,424 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-file.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"file": {
"properties": {
"accessed": {
"type": "date"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"created": {
"type": "date"
},
"ctime": {
"type": "date"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
},
"type": "nested"
},
"segments": {
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"mtime": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"size": {
"type": "long"
},
"target_path": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
"index": false,
"type": "long"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

28
salt/elasticsearch/templates/component/ecs/group.json Normal file
View File

@@ -0,0 +1,28 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-group.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

247
salt/elasticsearch/templates/component/ecs/host.json Normal file
View File

@@ -0,0 +1,247 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-host.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"host": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu": {
"properties": {
"usage": {
"scaling_factor": 1000,
"type": "scaled_float"
}
}
},
"disk": {
"properties": {
"read": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"write": {
"properties": {
"bytes": {
"type": "long"
}
}
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"network": {
"properties": {
"egress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
},
"ingress": {
"properties": {
"bytes": {
"type": "long"
},
"packets": {
"type": "long"
}
}
}
}
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

87
salt/elasticsearch/templates/component/ecs/http.json Normal file
View File

@@ -0,0 +1,87 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-http.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"http": {
"properties": {
"request": {
"properties": {
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
}
}
},
"bytes": {
"type": "long"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"response": {
"properties": {
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
}
}
},
"bytes": {
"type": "long"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"status_code": {
"type": "long"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

86
salt/elasticsearch/templates/component/ecs/log.json Normal file
View File

@@ -0,0 +1,86 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-log.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"log": {
"properties": {
"file": {
"properties": {
"path": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"logger": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"properties": {
"file": {
"properties": {
"line": {
"type": "integer"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"function": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"syslog": {
"properties": {
"facility": {
"properties": {
"code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"priority": {
"type": "long"
},
"severity": {
"properties": {
"code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
}
}
}
}
}

86
salt/elasticsearch/templates/component/ecs/network.json Normal file
View File

@@ -0,0 +1,86 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"network": {
"properties": {
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes": {
"type": "long"
},
"community_id": {
"ignore_above": 1024,
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
},
"forwarded_ip": {
"type": "ip"
},
"iana_number": {
"ignore_above": 1024,
"type": "keyword"
},
"inner": {
"properties": {
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"packets": {
"type": "long"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"transport": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

214
salt/elasticsearch/templates/component/ecs/observer.json Normal file
View File

@@ -0,0 +1,214 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"observer": {
"properties": {
"egress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"ingress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

60
salt/elasticsearch/templates/component/ecs/orchestrator.json Normal file
View File

@@ -0,0 +1,60 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-orchestrator.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"orchestrator": {
"properties": {
"api_version": {
"ignore_above": 1024,
"type": "keyword"
},
"cluster": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"namespace": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"resource": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

29
salt/elasticsearch/templates/component/ecs/organization.json Normal file
View File

@@ -0,0 +1,29 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-organization.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"organization": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

66
salt/elasticsearch/templates/component/ecs/package.json Normal file
View File

@@ -0,0 +1,66 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-package.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"package": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"build_version": {
"ignore_above": 1024,
"type": "keyword"
},
"checksum": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"install_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"installed": {
"type": "date"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

612
salt/elasticsearch/templates/component/ecs/process.json Normal file
View File

@@ -0,0 +1,612 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-process.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"process": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"args_count": {
"type": "long"
},
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"command_line": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
},
"type": "nested"
},
"segments": {
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"end": {
"type": "date"
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"executable": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"parent": {
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"args_count": {
"type": "long"
},
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"trusted": {
"type": "boolean"
},
"valid": {
"type": "boolean"
}
}
},
"command_line": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"creation_date": {
"type": "date"
},
"exports": {
"type": "flattened"
},
"header": {
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"imports": {
"type": "flattened"
},
"sections": {
"properties": {
"chi2": {
"type": "long"
},
"entropy": {
"type": "long"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_address": {
"type": "long"
},
"virtual_size": {
"type": "long"
}
},
"type": "nested"
},
"segments": {
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"end": {
"type": "date"
},
"entity_id": {
"ignore_above": 1024,
"type": "keyword"
},
"executable": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
"ppid": {
"type": "long"
},
"start": {
"type": "date"
},
"thread": {
"properties": {
"id": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"title": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
},
"working_directory": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"pid": {
"type": "long"
},
"ppid": {
"type": "long"
},
"start": {
"type": "date"
},
"thread": {
"properties": {
"id": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"title": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
},
"working_directory": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

47
salt/elasticsearch/templates/component/ecs/registry.json Normal file
View File

@@ -0,0 +1,47 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-registry.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"registry": {
"properties": {
"data": {
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

31
salt/elasticsearch/templates/component/ecs/related.json Normal file
View File

@@ -0,0 +1,31 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-related.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"related": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"hosts": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

56
salt/elasticsearch/templates/component/ecs/rule.json Normal file
View File

@@ -0,0 +1,56 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-rule.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"rule": {
"properties": {
"author": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"ruleset": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

187
salt/elasticsearch/templates/component/ecs/server.json Normal file
View File

@@ -0,0 +1,187 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-server.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"server": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

56
salt/elasticsearch/templates/component/ecs/service.json Normal file
View File

@@ -0,0 +1,56 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-service.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"service": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"environment": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"node": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

187
salt/elasticsearch/templates/component/ecs/source.json Normal file
View File

@@ -0,0 +1,187 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"source": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"nat": {
"properties": {
"ip": {
"type": "ip"
},
"port": {
"type": "long"
}
}
},
"packets": {
"type": "long"
},
"port": {
"type": "long"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

1650
salt/elasticsearch/templates/component/ecs/threat.json Normal file
View File

File diff suppressed because it is too large Load Diff

354
salt/elasticsearch/templates/component/ecs/tls.json Normal file
View File

@@ -0,0 +1,354 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tls.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"tls": {
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3": {
"ignore_above": 1024,
"type": "keyword"
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"supported_ciphers": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
"index": false,
"type": "long"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"established": {
"type": "boolean"
},
"next_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"resumed": {
"type": "boolean"
},
"server": {
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3s": {
"ignore_above": 1024,
"type": "keyword"
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"not_after": {
"type": "date"
},
"not_before": {
"type": "date"
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
"index": false,
"type": "long"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"version_protocol": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/ecs/tracing.json Normal file
View File

@@ -0,0 +1,36 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-tracing.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"span": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"trace": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"transaction": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

78
salt/elasticsearch/templates/component/ecs/url.json Normal file
View File

@@ -0,0 +1,78 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-url.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"url": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"original": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"type": "wildcard"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"type": "wildcard"
},
"port": {
"type": "long"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

244
salt/elasticsearch/templates/component/ecs/user.json Normal file
View File

@@ -0,0 +1,244 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"user": {
"properties": {
"changes": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"effective": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
},
"target": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"full_name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
}
}

83
salt/elasticsearch/templates/component/ecs/user_agent.json Normal file
View File

@@ -0,0 +1,83 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-user_agent.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"user_agent": {
"properties": {
"device": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

78
salt/elasticsearch/templates/component/ecs/vulnerability.json Normal file
View File

@@ -0,0 +1,78 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"vulnerability": {
"properties": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"enumeration": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"report_id": {
"ignore_above": 1024,
"type": "keyword"
},
"scanner": {
"properties": {
"vendor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"score": {
"properties": {
"base": {
"type": "float"
},
"environmental": {
"type": "float"
},
"temporal": {
"type": "float"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

213
salt/elasticsearch/templates/component/so/case-mappings.json Normal file
View File

@@ -0,0 +1,213 @@
{
"template": {
"mappings": {
"properties": {
"so_audit_doc_id": {
"ignore_above": 1024,
"type": "keyword"
},
"so_related": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"fields": {
"eager_global_ordinals": false,
"ignore_above": 1024,
"index": true,
"type": "flattened",
"index_options": "docs",
"split_queries_on_whitespace": false,
"doc_values": true
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"so_artifactstream": {
"properties": {
"createTime": {
"type": "date"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"content": {
"type": "text"
}
}
},
"so_comment": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"type": "text"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_case": {
"properties": {
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"template": {
"ignore_above": 1024,
"type": "keyword"
},
"completeTime": {
"type": "date"
},
"description": {
"type": "text"
},
"priority": {
"type": "long"
},
"title": {
"type": "text"
},
"assigneeId": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"pap": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_artifact": {
"properties": {
"artifactType": {
"ignore_above": 1024,
"type": "keyword"
},
"groupType": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"streamId": {
"ignore_above": 1024,
"type": "keyword"
},
"groupId": {
"ignore_above": 1024,
"type": "keyword"
},
"streamLength": {
"type": "long"
},
"description": {
"type": "text"
},
"mimeType": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"type": "boolean"
},
"value": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
}

65
salt/elasticsearch/templates/component/so/case-settings.json Normal file
View File

@@ -0,0 +1,65 @@
{
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion Cases indices"
}
}

56
salt/elasticsearch/templates/component/so/common-dynamic-mappings.json Normal file
View File

@@ -0,0 +1,56 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"ip_address": {
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields": {
"keyword": {
"ignore_above": 45,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields": {
"keyword": {
"ignore_above": 6,
"type": "keyword"
}
}
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
]
}
}
}

65
salt/elasticsearch/templates/component/so/common-settings.json Normal file
View File

@@ -0,0 +1,65 @@
{
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion indices"
}
}

127
salt/elasticsearch/templates/component/so/dtc-event-mappings Normal file
View File

@@ -0,0 +1,127 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"duration": {
"type": "long"
},
"end": {
"type": "date"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk_score_norm": {
"type": "float"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"start": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

219
salt/elasticsearch/templates/component/so/dtc-observer-mappings Normal file
View File

@@ -0,0 +1,219 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"observer": {
"properties": {
"egress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"ingress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

0
salt/elasticsearch/templates/custom/place_custom_template_in_local → salt/elasticsearch/templates/index/custom/place_custom_template_in_local
View File

89
salt/elasticsearch/templates/index/so/so-aws-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-aws:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-aws:field_limit', 3000) %}
{
"index_patterns": [
"so-aws*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-azure-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-azure:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-azure:field_limit', 3000) %}
{
"index_patterns": [
"so-azure*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-barracuda-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:field_limit', 3000) %}
{
"index_patterns": [
"so-barracuda*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-beats-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-beats:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-beats:field_limit', 3000) %}
{
"index_patterns": [
"so-beats*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-bluecoat-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:field_limit', 3000) %}
{
"index_patterns": [
"so-bluecoat*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

53
salt/elasticsearch/templates/index/so/so-case-template.json.jinja Normal file
View File

@@ -0,0 +1,53 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-case:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-case:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-case:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-case:field_limit', 2000) %}
{
"index_patterns": [
"so-case*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"case-mappings",
"case-settings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes Cases fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-cef-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cef:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cef:field_limit', 3000) %}
{
"index_patterns": [
"so-cef*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:field_limit', 3000) %}
{
"index_patterns": [
"so-checkpoint*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

90
salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja Normal file
View File

@@ -0,0 +1,90 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cisco:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cisco:field_limit', 3000) %}
{
"index_templates": [
{
"so-cisco*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-common-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-common:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-common:priority', 1) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-common:field_limit', 3000) %}
{
"index_patterns": [
"so-*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"sort.field": "@timestamp",
"sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:field_limit', 3000) %}
{
"index_patterns": [
"so-cyberark*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-cylance-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cylance:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-cylance:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-cylance:field_limit', 3000) %}
{
"index_patterns": [
"so-cylance*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-elasticsearch-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:field_limit', 3000) %}
{
"index_patterns": [
"so-elasticsearch*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-endgame:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-endgame:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-endgame:field_limit', 3000) %}
{
"index_patterns": [
"so-endgame*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-f5-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-f5:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-f5:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-f5:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-f5:field_limit', 3000) %}
{
"index_patterns": [
"so-f5*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-firewall-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-firewall:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-firewall:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-firewall:field_limit', 3000) %}
{
"index_patterns": [
"so-firewall*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-flow-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-flow:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-flow:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-flow:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-flow:field_limit', 3000) %}
{
"index_patterns": [
"so-flow*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:field_limit', 3000) %}
{
"index_patterns": [
"so-fortinet*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-gcp:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-gcp:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-gcp:field_limit', 3000) %}
{
"index_patterns": [
"so-gcp*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:field_limit', 3000) %}
{
"index_patterns": [
"so-google_workspace*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-ids-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ids:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ids:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ids:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ids:field_limit', 3000) %}
{
"index_patterns": [
"so-ids*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-imperva-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-imperva:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-imperva:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-imperva:field_limit', 3000) %}
{
"index_patterns": [
"so-imperva*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-import-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-import:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-import:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-import:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-import:field_limit', 3000) %}
{
"index_patterns": [
"so-import*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-infoblox-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:field_limit', 3000) %}
{
"index_patterns": [
"so-infoblox*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-juniper:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-juniper:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-juniper:field_limit', 3000) %}
{
"index_patterns": [
"so-juniper*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-kibana-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-kibana:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-kibana:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-kibana:field_limit', 3000) %}
{
"index_patterns": [
"so-kibana*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-logstash-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-logstash:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-logstash:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-logstash:field_limit', 3000) %}
{
"index_patterns": [
"so-logstash*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:field_limit', 3000) %}
{
"index_patterns": [
"so-microsoft*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-misp-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-misp:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-misp:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-misp:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-misp:field_limit', 3000) %}
{
"index_patterns": [
"so-misp*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-netflow-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netflow:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netflow:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netflow:field_limit', 3000) %}
{
"index_patterns": [
"so-netflow*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-netscout-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-netscout:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-netscout:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-netscout:field_limit', 3000) %}
{
"index_patterns": [
"so-netscout*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-o365-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-o365:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-o365:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-o365:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-o365:field_limit', 3000) %}
{
"index_patterns": [
"so-o365*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-okta-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-okta:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-okta:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-okta:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-okta:field_limit', 3000) %}
{
"index_patterns": [
"so-okta*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-osquery:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-osquery:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-osquery:field_limit', 3000) %}
{
"index_patterns": [
"so-osquery*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-ossec:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-ossec:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-ossec:field_limit', 3000) %}
{
"index_patterns": [
"so-ossec*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-proofpoint-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:field_limit', 3000) %}
{
"index_patterns": [
"so-proofpoint*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-radware-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-radware:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-radware:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-radware:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-radware:field_limit', 3000) %}
{
"index_patterns": [
"so-radware*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-redis-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-redis:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-redis:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-redis:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-redis:field_limit', 3000) %}
{
"index_patterns": [
"so-redis*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-snort-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snort:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snort:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snort:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snort:field_limit', 3000) %}
{
"index_patterns": [
"so-snort*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-snyk:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-snyk:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-snyk:field_limit', 3000) %}
{
"index_patterns": [
"so-snyk*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-sonicwall-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
i%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:field_limit', 3000) %}
{
"index_patterns": [
"so-sonicwall*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-sophos:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-sophos:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-sophos:field_limit', 3000) %}
{
"index_patterns": [
"so-sophos*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-squid-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-squid:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-squid:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-squid:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-squid:field_limit', 3000) %}
{
"index_patterns": [
"so-squid*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-strelka-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-strelka:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-strelka:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-strelka:field_limit', 3000) %}
{
"index_patterns": [
"so-strelka*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-syslog:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-syslog:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-syslog:field_limit', 3000) %}
{
"index_patterns": [
"so-syslog*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-tomcat-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:field_limit', 3000) %}
{
"index_patterns": [
"so-tomcat*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-zeek-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zeek:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zeek:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zeek:field_limit', 3000) %}
{
"index_patterns": [
"so-zeek*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

89
salt/elasticsearch/templates/index/so/so-zscaler-template.json.jinja Normal file
View File

@@ -0,0 +1,89 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', False) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:shards', 1) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:refresh', '30s') %}
{%- set PRIORITY = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:priority', 500) %}
{%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:field_limit', 3000) %}
{
"index_patterns": [
"so-zscaler*"
],
"template": {
"mappings": {
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": {{ FIELD_LIMIT }}
}
},
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"refresh_interval": "{{ REFRESH }}",
"number_of_shards": {{ SHARDS }},
"number_of_replicas": {{ REPLICAS }}
}
}
},
"composed_of": [
"agent-mappings",
"base-mappings",
"client-mappings",
"cloud-mappings",
"container-mappings",
"data_stream-mappings",
"destination-mappings",
"dll-mappings",
"dns-mappings",
"ecs-mappings",
"error-mappings",
"dtc-event-mappings",
"file-mappings",
"group-mappings",
"host-mappings",
"http-mappings",
"log-mappings",
"network-mappings",
"dtc-observer-mappings",
"orchestrator-mappings",
"organization-mappings",
"package-mappings",
"process-mappings",
"registry-mappings",
"related-mappings",
"rule-mappings",
"server-mappings",
"service-mappings",
"source-mappings",
"threat-mappings",
"tls-mappings",
"tracing-mappings",
"url-mappings",
"user_agent-mappings",
"user-mappings",
"vulnerability-mappings",
"common-settings",
"common-dynamic-mappings"
],
"priority": {{ PRIORITY }},
"_meta": {
"description": "Composable template that includes SO base fields",
"ecs_version": "1.12"
}
}
}

13
salt/elasticsearch/templates/so/so-aws-template.json.jinja
View File

@@ -1,13 +0,0 @@
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-aws:shards', 1) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-aws:refresh', '30s') %}
{
"index_patterns": ["so-aws-*"],
"version":50001,
"order":11,
"settings":{
"number_of_replicas":{{ REPLICAS }},
"number_of_shards":{{ SHARDS }},
"index.refresh_interval":"{{ REFRESH }}"
}
}

13
salt/elasticsearch/templates/so/so-azure-template.json.jinja
View File

@@ -1,13 +0,0 @@
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-azure:shards', 1) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-azure:refresh', '30s') %}
{
"index_patterns": ["so-azure-*"],
"version":50001,
"order":11,
"settings":{
"number_of_replicas":{{ REPLICAS }},
"number_of_shards":{{ SHARDS }},
"index.refresh_interval":"{{ REFRESH }}"
}
}

13
salt/elasticsearch/templates/so/so-barracuda-template.json.jinja
View File

@@ -1,13 +0,0 @@
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:shards', 1) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:refresh', '30s') %}
{
"index_patterns": ["so-barracuda-*"],
"version":50001,
"order":11,
"settings":{
"number_of_replicas":{{ REPLICAS }},
"number_of_shards":{{ SHARDS }},
"index.refresh_interval":"{{ REFRESH }}"
}
}

13
salt/elasticsearch/templates/so/so-beats-template.json.jinja
View File

@@ -1,13 +0,0 @@
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-beats:shards', 1) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-beats:refresh', '30s') %}
{
"index_patterns": ["so-beats-*"],
"version": 50001,
"order": 11,
"settings":{
"number_of_replicas":{{ REPLICAS }},
"number_of_shards":{{ SHARDS }},
"index.refresh_interval":"{{ REFRESH }}"
}
}

13
salt/elasticsearch/templates/so/so-bluecoat-template.json.jinja
View File

@@ -1,13 +0,0 @@
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:shards', 1) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:refresh', '30s') %}
{
"index_patterns": ["so-bluecoat-*"],
"version":50001,
"order":11,
"settings":{
"number_of_replicas":{{ REPLICAS }},
"number_of_shards":{{ SHARDS }},
"index.refresh_interval":"{{ REFRESH }}"
}
}

226
salt/elasticsearch/templates/so/so-case-template.json.jinja
View File

@@ -1,226 +0,0 @@
{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %}
{
"index_patterns": ["so-case*"],
"version":50001,
"order":11,
"settings":{
"number_of_replicas":{{ REPLICAS }},
"number_of_shards":1,
"index.refresh_interval":"{{ REFRESH }}",
"index.routing.allocation.require.box_type":"hot",
"index.mapping.total_fields.limit": "1500"
},
"mappings": {
"_meta": {
"version": "1.5.0"
},
"dynamic": false,
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"so_kind": {
"type": "keyword",
"ignore_above": 1024
},
"so_operation": {
"type": "keyword",
"ignore_above": 1024
},
"so_audit_doc_id": {
"type": "keyword",
"ignore_above": 1024
},
"so_artifact": {
"properties": {
"artifactType": {
"type": "keyword",
"ignore_above": 1024
},
"caseId": {
"type": "keyword",
"ignore_above": 1024
},
"createTime": {
"type": "date"
},
"description": {
"type": "text"
},
"groupId": {
"type": "keyword",
"ignore_above": 1024
},
"groupType": {
"type": "keyword",
"ignore_above": 1024
},
"ioc": {
"type": "boolean"
},
"md5": {
"type": "keyword",
"ignore_above": 1024
},
"mimeType": {
"type": "keyword",
"ignore_above": 1024
},
"sha1": {
"type": "keyword",
"ignore_above": 1024
},
"sha256": {
"type": "keyword",
"ignore_above": 1024
},
"streamId": {
"type": "keyword",
"ignore_above": 1024
},
"streamLength": {
"type": "long"
},
"tags": {
"type": "keyword",
"ignore_above": 1024
},
"tlp": {
"type": "keyword",
"ignore_above": 1024
},
"userId": {
"type": "keyword",
"ignore_above": 1024
},
"value": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
},
"so_artifactstream": {
"properties": {
"content": {
"type": "text"
},
"createTime": {
"type": "date"
},
"userId": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"so_case": {
"properties": {
"assigneeId": {
"type": "keyword",
"ignore_above": 1024
},
"category": {
"type": "keyword",
"ignore_above": 1024
},
"completeTime": {
"type": "date"
},
"createTime": {
"type": "date"
},
"description": {
"type": "text"
},
"pap": {
"type": "keyword",
"ignore_above": 1024
},
"priority": {
"type": "long"
},
"severity": {
"type": "keyword",
"ignore_above": 1024
},
"startTime": {
"type": "date"
},
"status": {
"type": "keyword",
"ignore_above": 1024
},
"tags": {
"type": "keyword",
"ignore_above": 1024
},
"template": {
"type": "keyword",
"ignore_above": 1024
},
"title": {
"type": "text"
},
"tlp": {
"type": "keyword",
"ignore_above": 1024
},
"userId": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"so_comment": {
"properties": {
"caseId": {
"type": "keyword",
"ignore_above": 1024
},
"createTime": {
"type": "date"
},
"description": {
"type": "text"
},
"userId": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"so_related": {
"properties": {
"caseId": {
"type": "keyword",
"ignore_above": 1024
},
"createTime": {
"type": "date"
},
"fields": {
"eager_global_ordinals": false,
"ignore_above": 1024,
"index": true,
"type": "flattened",
"index_options": "docs",
"split_queries_on_whitespace": false,
"doc_values": true
},
"userId": {
"type": "keyword",
"ignore_above": 1024
}
}
}
}
}
}

13
salt/elasticsearch/templates/so/so-cef-template.json.jinja
View File

@@ -1,13 +0,0 @@
{%- set SHARDS = salt['pillar.get']('elasticsearch:index_settings:so-cef:shards', 1) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cef:refresh', '30s') %}
{
"index_patterns": ["so-cef-*"],
"version":50001,
"order":11,
"settings":{
"number_of_replicas":{{ REPLICAS }},
"number_of_shards":{{ SHARDS }},
"index.refresh_interval":"{{ REFRESH }}"
}
}

Some files were not shown because too many files have changed in this diff Show More