CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into 2.4/templaterepos

Browse Source
This commit is contained in:
defensivedepth
2024-11-08 09:20:11 -05:00
parent 8b70aa9f0e 9095595db1
commit 74b95a0bcc
5 changed files with 183 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
salt/elasticsearch/defaults.yaml
View File

@@ -3499,28 +3499,70 @@ elasticsearch:
set_priority: set_priority:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-logs-crowdstrike_x_falcon: so-logs-crowdstrike_x_alert:
index_sorting: false index_sorting: False
index_template: index_template:
index_patterns:
- logs-crowdstrike.alert-*
template:
settings:
index:
number_of_replicas: 0
composed_of:
- logs-crowdstrike.alert@package
- logs-crowdstrike.alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.alert@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_falcon:
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.falcon-*
template:
settings:
index:
number_of_replicas: 0
composed_of: composed_of:
- logs-crowdstrike.falcon@package - logs-crowdstrike.falcon@package
- logs-crowdstrike.falcon@custom - logs-crowdstrike.falcon@custom
- so-fleet_globals-1 - so-fleet_globals-1
- so-fleet_agent_id_verification-1 - so-fleet_agent_id_verification-1
priority: 501
data_stream: data_stream:
allow_custom_routing: false
hidden: false hidden: false
allow_custom_routing: false
ignore_missing_component_templates: ignore_missing_component_templates:
- logs-crowdstrike.falcon@custom - logs-crowdstrike.falcon@custom
index_patterns:
- logs-crowdstrike.falcon-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-crowdstrike.falcon-logs
number_of_replicas: 0
policy: policy:
phases: phases:
cold: cold:
@@ -3546,27 +3588,69 @@ elasticsearch:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-logs-crowdstrike_x_fdr: so-logs-crowdstrike_x_fdr:
index_sorting: false index_sorting: False
index_template: index_template:
index_patterns:
- logs-crowdstrike.fdr-*
template:
settings:
index:
number_of_replicas: 0
composed_of: composed_of:
- logs-crowdstrike.fdr@package - logs-crowdstrike.fdr@package
- logs-crowdstrike.fdr@custom - logs-crowdstrike.fdr@custom
- so-fleet_globals-1 - so-fleet_globals-1
- so-fleet_agent_id_verification-1 - so-fleet_agent_id_verification-1
priority: 501
data_stream: data_stream:
allow_custom_routing: false
hidden: false hidden: false
allow_custom_routing: false
ignore_missing_component_templates: ignore_missing_component_templates:
- logs-crowdstrike.fdr@custom - logs-crowdstrike.fdr@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_host:
index_sorting: False
index_template:
index_patterns: index_patterns:
- logs-crowdstrike.fdr-* - logs-crowdstrike.host-*
priority: 501
template: template:
settings: settings:
index: index:
lifecycle:
name: so-logs-crowdstrike.fdr-logs
number_of_replicas: 0 number_of_replicas: 0
composed_of:
- logs-crowdstrike.host@package
- logs-crowdstrike.host@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.host@custom
policy: policy:
phases: phases:
cold: cold:

2
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -396,8 +396,10 @@ elasticsearch:
so-logs-citrix_waf_x_log: *indexSettings so-logs-citrix_waf_x_log: *indexSettings
so-logs-cloudflare_x_audit: *indexSettings so-logs-cloudflare_x_audit: *indexSettings
so-logs-cloudflare_x_logpull: *indexSettings so-logs-cloudflare_x_logpull: *indexSettings
so-logs-crowdstrike_x_alert: *indexSettings
so-logs-crowdstrike_x_falcon: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings
so-logs-crowdstrike_x_fdr: *indexSettings so-logs-crowdstrike_x_fdr: *indexSettings
so-logs-crowdstrike_x_host: *indexSettings
so-logs-darktrace_x_ai_analyst_alert: *indexSettings so-logs-darktrace_x_ai_analyst_alert: *indexSettings
so-logs-darktrace_x_model_breach_alert: *indexSettings so-logs-darktrace_x_model_breach_alert: *indexSettings
so-logs-darktrace_x_system_status_alert: *indexSettings so-logs-darktrace_x_system_status_alert: *indexSettings

36
salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

8
salt/elasticsearch/templates/component/so/detection-mappings.json
View File

@@ -64,7 +64,7 @@
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"ruleset": { "ruleset": {
"ignore_above": 1024, "ignore_above": 1024,
@@ -82,6 +82,12 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"sourceCreated": {
"type": "date"
},
"sourceUpdated": {
"type": "date"
},
"overrides": { "overrides": {
"properties": { "properties": {
"type": { "type": {