CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-09 12:52:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #424 from Security-Onion-Solutions/ecs_parsing

Browse Source 
ECS parsing
This commit is contained in:
weslambert
2020-03-14 08:11:15 -04:00
committed by GitHub
parent a9d286b90f 85c1873f4d
commit 775066489a
25 changed files with 532 additions and 22780 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/elasticsearch/files/ingest/common
+6 -11
View File
@@ -1,17 +1,10 @@
{
"description" : "common",
"processors" : [
{
"rename": {
"field": "type",
"target_field": "event_type",
"ignore_missing": true
}
},
{
"geoip": {
"field": "destination.ip",
"target_field": "destination_geo",
"target_field": "geo",
"database_file": "GeoLite2-City.mmdb",
"ignore_missing": true,
"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -20,7 +13,7 @@
{
"geoip": {
"field": "source.ip",
"target_field": "source_geo",
"target_field": "geo",
"database_file": "GeoLite2-City.mmdb",
"ignore_missing": true,
"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -41,10 +34,12 @@
"ignore_failure": true,
"index_name_format": "yyyy.MM.dd"
}
},
},
{ "rename": { "field": "module", "target_field": "event.module", "ignore_missing": true } },
{ "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_missing": true } },
{
"remove": {
"field": [ "index_name_prefix"],
"field": [ "index_name_prefix", "beat"],
"ignore_failure": false
}
}
salt/elasticsearch/files/ingest/ossec.alert
+53
View File
@@ -0,0 +1,53 @@
{
"description" : "ossec",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.agent", "target_field": "agent", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "data", "ignore_missing": true } },
{ "rename": { "field": "message2.decoder", "target_field": "decoder", "ignore_missing": true } },
{ "rename": { "field": "message2.full_log", "target_field": "log.full", "ignore_missing": true } },
{ "rename": { "field": "message2.id", "target_field": "log.id.id", "ignore_missing": true } },
{ "rename": { "field": "message2.location", "target_field": "location", "ignore_missing": true } },
{ "rename": { "field": "message2.manager", "target_field": "manager", "ignore_missing": true } },
{ "rename": { "field": "message2.predecoder", "target_field": "predecoder", "ignore_missing": true } },
{ "rename": { "field": "message2.timestamp", "target_field": "timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.previous_log", "target_field": "log.previous_log", "ignore_missing": true } },
{ "rename": { "field": "message2.previous_output", "target_field": "log.previous_output", "ignore_missing": true } },
{ "rename": { "field": "message2.rule", "target_field": "rule", "ignore_missing": true } },
{ "rename": { "field": "data.command", "target_field": "command", "ignore_missing": true } },
{ "rename": { "field": "data.dstip", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "data.dstport", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "data.dstuser", "target_field": "user.escalated", "ignore_missing": true } },
{ "rename": { "field": "data.srcip", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationIp", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationPort", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.image", "target_field": "image_path", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.parentImage", "target_field": "parent_image_path", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourceHostname", "target_field": "source.hostname", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourceIp", "target_field": "source_ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } },
{ "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } },
{ "set": { "if": "ctx.rule.level == 1", "field": "rule.category", "value": "None" } },
{ "set": { "if": "ctx.rule.level == 2", "field": "rule.category", "value": "System low priority notification" } },
{ "set": { "if": "ctx.rule.level == 3", "field": "rule.category", "value": "Successful/authorized event" } },
{ "set": { "if": "ctx.rule.level == 4", "field": "rule.category", "value": "System low priority error" } },
{ "set": { "if": "ctx.rule.level == 5", "field": "rule.category", "value": "User generated error" } },
{ "set": { "if": "ctx.rule.level == 6", "field": "rule.category", "value": "Low relevance attack" } },
{ "set": { "if": "ctx.rule.level == 7", "field": "rule.category", "value": "\"Bad word\" matching" } },
{ "set": { "if": "ctx.rule.level == 8", "field": "rule.category", "value": "First time seen" } },
{ "set": { "if": "ctx.rule.level == 9", "field": "rule.category", "value": "Error from invalid source" } },
{ "set": { "if": "ctx.rule.level == 10", "field": "rule.category", "value": "Multiple user generated errors" } },
{ "set": { "if": "ctx.rule.level == 11", "field": "rule.category", "value": "Integrity checking warning" } },
{ "set": { "if": "ctx.rule.level == 12", "field": "rule.category", "value": "High importance event" } },
{ "set": { "if": "ctx.rule.level == 13", "field": "rule.category", "value": "Unusal error (high importance)" } },
{ "set": { "if": "ctx.rule.level == 14", "field": "rule.category", "value": "High importance security event" } },
{ "set": { "if": "ctx.rule.level == 15", "field": "rule.category", "value": "Severe attack" } },
{ "append": { "if": "ctx.rule.level != null", "field": "tags", "value": ["alert"] } },
{ "remove": { "field": [ "predecoder", "decoder" ], "ignore_missing": true, "ignore_failure": false } },
{ "pipeline": { "name": "common" } }
]
}
salt/elasticsearch/files/ingest/strelka.file
+12
View File
@@ -0,0 +1,12 @@
{
"description" : "strelka",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } },
{ "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } },
{ "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } },
{ "rename": { "field": "scan.hash", "target_field": "file.hash", "ignore_missing": true } },
{ "remove": { "field": ["host", "path"], "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]
}
salt/elasticsearch/files/ingest/suricata.alert
+11
View File
@@ -0,0 +1,11 @@
{
"description" : "suricata.alert",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename":{ "field": "message2.comunity_id", "target_field": "network.comunity_id", "ignore_failure": true } },
{ "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } },
{ "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } },
{ "rename":{ "field": "rule.ref", "target_field": "rule.version", "ignore_failure": true } },
{ "pipeline": { "name": "suricata.common" } }
]
}
salt/elasticsearch/files/ingest/suricata.common
+14
View File
@@ -0,0 +1,14 @@
{
"description" : "suricata.common",
"processors" : [
{ "rename":{ "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } },
{ "rename":{ "field": "message2.flow_id", "target_field": "event.id", "ignore_failure": true } },
{ "rename":{ "field": "message2.comunity_id", "target_field": "network.comunity_id", "ignore_failure": true } },
{ "rename":{ "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } },
{ "rename":{ "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } },
{ "rename":{ "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } },
{ "rename":{ "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } },
{ "remove": { "field": ["message2"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } }
]
}
salt/elasticsearch/files/ingest/zeek.common
+1 -3
View File
@@ -1,7 +1,7 @@
{
"description" : "zeek.common",
"processors" : [
{ "rename": { "field": "@timestamp", "target_field": "es.timestamp", "ignore_missing": true } },
{ "rename": { "field": "@timestamp", "target_field": "ingest.timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.uid", "target_field": "log.id.uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
@@ -15,8 +15,6 @@
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "set": { "field": "server.port", "value": "{{destination.port}}" } },
{ "set": { "field": "event.module", "value": "zeek" } },
{ "grok": { "field": "event_type", "patterns": ["zeek.%{WORD:event.dataset}"] } },
{ "date": { "field": "message2.ts", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "ignore_failure": true } },
{ "remove": { "field": ["message2.ts", "path"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } }
salt/elasticsearch/files/ingest/zeek.conn
+1 -15
View File
@@ -1,7 +1,7 @@
{
"description" : "zeek.conn",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": false } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "network.protocol", "ignore_missing": true } },
@@ -21,20 +21,6 @@
{ "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } },
{ "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.connection.bytes.total = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } },
{ "set": { "if": "ctx.connection.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
{ "set": { "if": "ctx.connection.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } },
{ "set": { "if": "ctx.connection.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
{ "set": { "if": "ctx.connection.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
{ "set": { "if": "ctx.connection.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
{ "set": { "if": "ctx.connection.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } },
{ "set": { "if": "ctx.connection.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
{ "set": { "if": "ctx.connection.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } },
{ "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
{ "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
{ "set": { "if": "ctx.connection.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
{ "set": { "if": "ctx.connection.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
{ "set": { "if": "ctx.connection.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
{ "pipeline": { "name": "zeek.common" } }
]
}
salt/elasticsearch/files/ingest/zeek.dpd
+2 -3
View File
@@ -3,7 +3,6 @@
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
@@ -13,8 +12,8 @@
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzer", "target_field": "analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.failure_reason", "target_field": "failure_reason", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzer", "target_field": "observer.analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.failure_reason", "target_field": "error.reason", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}
salt/elasticsearch/files/ingest/zeek.http
+1 -1
View File
@@ -2,7 +2,7 @@
"description" : "zeek.http",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "http.method", "ignore_missing": true } },
{ "rename": { "field": "message2.host", "target_field": "http.virtual_host", "ignore_missing": true } },
salt/elasticsearch/files/ingest/zeek.tunnel
-1
View File
@@ -2,7 +2,6 @@
"description" : "zeek.tunnel",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "set": { "field": "event_type", "value": "zeek.tunnels" } },
{ "pipeline": { "name": "zeek.tunnels" } }
]
}
salt/elasticsearch/files/ingest/zeek.tunnels
+2 -2
View File
@@ -12,8 +12,8 @@
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_type", "target_field": "tunnel_type", "ignore_missing": true } },
{ "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_type", "target_field": "tunnel.type", "ignore_missing": true } },
{ "rename": { "field": "message2.action", "target_field": "event.action", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}
salt/elasticsearch/files/ingest/zeek.weird
-1
View File
@@ -2,7 +2,6 @@
"description" : "zeek.weird",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.name", "target_field": "weird.name", "ignore_missing": true } },
{ "rename": { "field": "message2.addl", "target_field": "weird.additional_info", "ignore_missing": true } },
{ "rename": { "field": "message2.notice", "target_field": "weird.notice", "ignore_missing": true } },
salt/elasticsearch/init.sls
+6
View File
@@ -143,3 +143,9 @@ so-elasticsearch-pipelines-file:
so-elasticsearch-pipelines:
cmd.run:
- name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates
- cwd: /
salt/filebeat/etc/filebeat.yml
+66 -26
View File
@@ -80,9 +80,13 @@ filebeat.prospectors:
paths:
- /nsm/zeek/logs/current/{{ LOGNAME }}.log
fields:
type: bro_{{ LOGNAME }}
module: zeek
dataset: {{ LOGNAME }}
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
tags: ["bro"]
clean_removed: false
close_removed: false
@@ -93,8 +97,13 @@ filebeat.prospectors:
paths:
- /suricata/eve.json
fields:
type: ids
engine: suricata
module: suricata
dataset: alert
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
@@ -106,19 +115,25 @@ filebeat.prospectors:
paths:
- /wazuh/alerts/alerts.json
fields:
type: ossec
module: ossec
dataset: alert
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
- type: log
paths:
- /wazuh/archives/archives.json
fields:
type: ossec_archive
fields_under_root: true
clean_removed: false
close_removed: false
# - type: log
# paths:
# - /wazuh/archives/archives.json
# fields:
# type: ossec_archive
# fields_under_root: true
# clean_removed: false
# close_removed: false
{%- endif %}
@@ -129,6 +144,11 @@ filebeat.prospectors:
- /osquery/logs/result.log
fields:
type: osquery
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
@@ -141,34 +161,56 @@ filebeat.prospectors:
paths:
- /opt/so/log/strelka/strelka.log
fields:
type: strelka
module: strelka
dataset: file
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
{%- endif %}
#----------------------------- Logstash output ---------------------------------
output.logstash:
# Boolean flag to enable or disable the output module.
output.elasticsearch:
enabled: true
hosts: ["{{ MASTER }}:9200"]
pipelines:
- pipeline: "%{[module]}.%{[dataset]}"
indices:
- index: "so-zeek-%{+yyyy.MM.dd}"
when.contains:
module: "zeek"
- index: "so-ids-%{+yyyy.MM.dd}"
when.contains:
module: "suricata"
- index: "so-ossec-%{+yyyy.MM.dd}"
when.contains:
module: "ossec"
#output.logstash:
# Boolean flag to enable or disable the output module.
#enabled: true
# The Logstash hosts
hosts: ["{{ MASTER }}:5644"]
#hosts: ["{{ MASTER }}:5644"]
# Number of workers per Logstash host.
worker: 1
#worker: 1
# Set gzip compression level.
compression_level: 3
#compression_level: 3
# Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
ssl.enabled: true
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
# and certificates will be accepted. In this mode, SSL based connections are
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
# `full`.
ssl.verification_mode: full
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# 1.2 are enabled.
@@ -176,16 +218,14 @@ output.logstash:
# Optional SSL configuration options. SSL is off by default.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
#ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
# Certificate for SSL client authentication
ssl.certificate: "/usr/share/filebeat/filebeat.crt"
#ssl.certificate: "/usr/share/filebeat/filebeat.crt"
# Client Certificate Key
ssl.key: "/usr/share/filebeat/filebeat.key"
#ssl.key: "/usr/share/filebeat/filebeat.key"
# Elasticsearch template settings
#setup.template.settings:
# A dictionary of settings to place into the settings.index dictionary
# of the Elasticsearch template. For more details, please check
salt/logstash/pipelines/templates/so/beats-template.json
-1288
View File
File diff suppressed because it is too large Load Diff
salt/logstash/pipelines/templates/so/logstash-bro-template.json
-3619
View File
File diff suppressed because it is too large Load Diff
salt/logstash/pipelines/templates/so/logstash-ossec-template.json
-3486
View File
File diff suppressed because it is too large Load Diff
salt/logstash/pipelines/templates/so/logstash-strelka-template.json
-24
View File
@@ -1,24 +0,0 @@
{
"index_patterns": ["logstash-strelka-*"],
"version":50001,
"order" : 0,
"settings":{
"number_of_replicas":0,
"number_of_shards":1,
"index.refresh_interval":"30s"
},
"mappings":{
"doc":{
"dynamic": false,
"date_detection": false,
"properties":{
"@timestamp":{
"type":"date"
},
"@version":{
"type":"keyword"
}
}
}
}
}
salt/logstash/pipelines/templates/so/logstash-template.json
-3619
View File
File diff suppressed because it is too large Load Diff
salt/logstash/pipelines/templates/so/so-common-template.json
+355
View File
@@ -0,0 +1,355 @@
{
"index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka", "so-beats-*"],
"version":50001,
"order" : 10,
"settings":{
"number_of_replicas":0,
"number_of_shards":1,
"index.refresh_interval":"30s"
},
"mappings":{
"doc":{
"dynamic": false,
"date_detection": false,
"properties":{
"@timestamp":{
"type":"date"
},
"@version":{
"type":"keyword"
},
"geoip":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"destination_geo":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"source_geo":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"agent":{
"type":"object",
"dynamic": true
},
"as":{
"type":"object",
"dynamic": true
},
"alert":{
"type":"object",
"dynamic": true
},
"client":{
"type":"object",
"dynamic": true
},
"cloud":{
"type":"object",
"dynamic": true
},
"code_signature":{
"type":"object",
"dynamic": true
},
"connection":{
"type":"object",
"dynamic": true
},
"container":{
"type":"object",
"dynamic": true
},
"data":{
"type":"object",
"dynamic": true
},
"dce_rpc":{
"type":"object",
"dynamic": true
},
"destination":{
"type":"object",
"dynamic": true
},
"dhcp":{
"type":"object",
"dynamic": true
},
"dnp3":{
"type":"object",
"dynamic": true
},
"dns":{
"type":"object",
"dynamic": true
},
"dll":{
"type":"object",
"dynamic": true
},
"ecs":{
"type":"object",
"dynamic": true
},
"error":{
"type":"object",
"dynamic": true
},
"event":{
"type":"object",
"dynamic": true
},
"file":{
"type":"object",
"dynamic": true
},
"flow":{
"type":"object",
"dynamic": true
},
"ftp":{
"type":"object",
"dynamic": true
},
"geo":{
"type":"object",
"dynamic": true
},
"group":{
"type":"object",
"dynamic": true
},
"hash":{
"type":"object",
"dynamic": true
},
"host":{
"type":"object",
"dynamic": true
},
"http":{
"type":"object",
"dynamic": true
},
"ingest":{
"type":"object",
"dynamic": true
},
"interface":{
"type":"object",
"dynamic": true
},
"kerberos":{
"type":"object",
"dynamic": true
},
"log":{
"type":"object",
"dynamic": true
},
"manager":{
"type":"object",
"dynamic": true
},
"modbus":{
"type":"object",
"dynamic": true
},
"network":{
"type":"object",
"dynamic": true
},
"ntlm":{
"type":"object",
"dynamic": true
},
"observer":{
"type":"object",
"dynamic": true
},
"organization":{
"type":"object",
"dynamic": true
},
"os":{
"type":"object",
"dynamic": true
},
"package":{
"type":"object",
"dynamic": true
},
"pe":{
"type":"object",
"dynamic": true
},
"process":{
"type":"object",
"dynamic": true
},
"radius":{
"type":"object",
"dynamic": true
},
"rdp":{
"type":"object",
"dynamic": true
},
"registry":{
"type":"object",
"dynamic": true
},
"related":{
"type":"object",
"dynamic": true
},
"rfb":{
"type":"object",
"dynamic": true
},
"rule":{
"type":"object",
"dynamic": true
},
"server":{
"type":"object",
"dynamic": true
},
"service":{
"type":"object",
"dynamic": true
},
"sip":{
"type":"object",
"dynamic": true
},
"smb":{
"type":"object",
"dynamic": true
},
"smtp":{
"type":"object",
"dynamic": true
},
"snmp":{
"type":"object",
"dynamic": true
},
"socks":{
"type":"object",
"dynamic": true
},
"software":{
"type":"object",
"dynamic": true
},
"source":{
"type":"object",
"dynamic": true
},
"ssh":{
"type":"object",
"dynamic": true
},
"ssl":{
"type":"object",
"dynamic": true
},
"tags":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"threat":{
"type":"object",
"dynamic": true
},
"tls":{
"type":"object",
"dynamic": true
},
"trace":{
"type":"object",
"dynamic": true
},
"tunnel":{
"type":"object",
"dynamic": true
},
"user":{
"type":"object",
"dynamic": true
},
"user_agent":{
"type":"object",
"dynamic": true
},
"version":{
"type":"object",
"dynamic": true
},
"vlan":{
"type":"object",
"dynamic": true
},
"vulnerability":{
"type":"object",
"dynamic": true
},
"weird":{
"type":"object",
"dynamic": true
},
"x509":{
"type":"object",
"dynamic": true
}
}
}
}
}
salt/logstash/pipelines/templates/so/so-ossec-template.json
-3466
View File
File diff suppressed because it is too large Load Diff
salt/logstash/pipelines/templates/so/so-strelka-template.json
-24
View File
@@ -1,24 +0,0 @@
{
"index_patterns": ["so-strelka-*"],
"version":50001,
"order" : 0,
"settings":{
"number_of_replicas":0,
"number_of_shards":1,
"index.refresh_interval":"30s"
},
"mappings":{
"doc":{
"dynamic": false,
"date_detection": false,
"properties":{
"@timestamp":{
"type":"date"
},
"@version":{
"type":"keyword"
}
}
}
}
}
salt/logstash/pipelines/templates/so/so-template.json
-3600
View File
File diff suppressed because it is too large Load Diff
salt/logstash/pipelines/templates/so/so-zeek-template.json
+1 -3590
View File
File diff suppressed because it is too large Load Diff
salt/top.sls
+1 -1
View File
@@ -60,7 +60,7 @@ base:
- wazuh
{%- endif %}
- elasticsearch
- logstash
- filebeat
- kibana
- pcap
- suricata