From 039d5c22ac8212c01bdd68a5e5afbcccb4b532a9 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 6 Nov 2024 14:35:41 -0600 Subject: [PATCH 1/3] fix: crowdstrike integration Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 120 +++++++++++++++--- salt/elasticsearch/soc_elasticsearch.yaml | 2 + .../logs-crowdstrike.alert@custom.json | 36 ++++++ .../logs-crowdstrike.host@custom.json | 36 ++++++ 4 files changed, 176 insertions(+), 18 deletions(-) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c8684e775..e3259ecd5 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3499,28 +3499,70 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-crowdstrike_x_falcon: - index_sorting: false + so-logs-crowdstrike_x_alert: + index_sorting: False index_template: + index_patterns: + - logs-crowdstrike.alert-* + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - logs-crowdstrike.alert@package + - logs-crowdstrike.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-crowdstrike.alert@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_falcon: + index_sorting: False + index_template: + index_patterns: + - logs-crowdstrike.falcon-* + template: + settings: + index: + number_of_replicas: 0 composed_of: - logs-crowdstrike.falcon@package - logs-crowdstrike.falcon@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + priority: 501 data_stream: - allow_custom_routing: false hidden: false + allow_custom_routing: false ignore_missing_component_templates: - logs-crowdstrike.falcon@custom - index_patterns: - - logs-crowdstrike.falcon-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-crowdstrike.falcon-logs - number_of_replicas: 0 policy: phases: cold: @@ -3546,27 +3588,69 @@ elasticsearch: priority: 50 min_age: 30d so-logs-crowdstrike_x_fdr: - index_sorting: false + index_sorting: False index_template: + index_patterns: + - logs-crowdstrike.fdr-* + template: + settings: + index: + number_of_replicas: composed_of: - logs-crowdstrike.fdr@package - logs-crowdstrike.fdr@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + priority: 501 data_stream: - allow_custom_routing: false hidden: false + allow_custom_routing: false ignore_missing_component_templates: - logs-crowdstrike.fdr@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_host: + index_sorting: False + index_template: index_patterns: - - logs-crowdstrike.fdr-* - priority: 501 + - logs-crowdstrike.host-* template: settings: index: - lifecycle: - name: so-logs-crowdstrike.fdr-logs number_of_replicas: 0 + composed_of: + - logs-crowdstrike.host@package + - logs-crowdstrike.host@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-crowdstrike.host@custom policy: phases: cold: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 266372708..e26d1d705 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -396,8 +396,10 @@ elasticsearch: so-logs-citrix_waf_x_log: *indexSettings so-logs-cloudflare_x_audit: *indexSettings so-logs-cloudflare_x_logpull: *indexSettings + so-logs-crowdstrike_x_alert: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings so-logs-crowdstrike_x_fdr: *indexSettings + so-logs-crowdstrike_x_host: *indexSettings so-logs-darktrace_x_ai_analyst_alert: *indexSettings so-logs-darktrace_x_model_breach_alert: *indexSettings so-logs-darktrace_x_system_status_alert: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} From 80b82b0bd62b61739b0c689aa2e75967f35fc4af Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 6 Nov 2024 15:24:13 -0600 Subject: [PATCH 2/3] missing replica 0 Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e3259ecd5..133c333e1 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3595,7 +3595,7 @@ elasticsearch: template: settings: index: - number_of_replicas: + number_of_replicas: 0 composed_of: - logs-crowdstrike.fdr@package - logs-crowdstrike.fdr@custom From 8334fd9c46d80ef12cc127b9a8d5c14eba04e0ac Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 6 Nov 2024 10:52:34 -0700 Subject: [PATCH 3/3] Source Dates --- .../templates/component/so/detection-mappings.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 2e405912d..4dd5b45e7 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -64,7 +64,7 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword" }, "ruleset": { "ignore_above": 1024, @@ -82,6 +82,12 @@ "ignore_above": 1024, "type": "keyword" }, + "sourceCreated": { + "type": "date" + }, + "sourceUpdated": { + "type": "date" + }, "overrides": { "properties": { "type": {