CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #424 from Security-Onion-Solutions/ecs_parsing

Browse Source 
ECS parsing
This commit is contained in:
weslambert
2020-03-14 08:11:15 -04:00
committed by GitHub
parent a9d286b90f 85c1873f4d
commit 775066489a
25 changed files with 532 additions and 22780 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
salt/elasticsearch/files/ingest/common
View File

@@ -1,17 +1,10 @@
{
"description" : "common",
"processors" : [
{
"rename": {
"field": "type",
"target_field": "event_type",
"ignore_missing": true
}
},
{
"geoip": {
"field": "destination.ip",
"target_field": "destination_geo",
"target_field": "geo",
"database_file": "GeoLite2-City.mmdb",
"ignore_missing": true,
"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -20,7 +13,7 @@
{
"geoip": {
"field": "source.ip",
"target_field": "source_geo",
"target_field": "geo",
"database_file": "GeoLite2-City.mmdb",
"ignore_missing": true,
"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -42,9 +35,11 @@
"index_name_format": "yyyy.MM.dd"
}
},
{ "rename": { "field": "module", "target_field": "event.module", "ignore_missing": true } },
{ "rename": { "field": "dataset", "target_field": "event.dataset", "ignore_missing": true } },
{
"remove": {
"field": [ "index_name_prefix"],
"field": [ "index_name_prefix", "beat"],
"ignore_failure": false
}
}

53
salt/elasticsearch/files/ingest/ossec.alert Normal file
View File

@@ -0,0 +1,53 @@
{
"description" : "ossec",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.agent", "target_field": "agent", "ignore_missing": true } },
{ "rename": { "field": "message2.data", "target_field": "data", "ignore_missing": true } },
{ "rename": { "field": "message2.decoder", "target_field": "decoder", "ignore_missing": true } },
{ "rename": { "field": "message2.full_log", "target_field": "log.full", "ignore_missing": true } },
{ "rename": { "field": "message2.id", "target_field": "log.id.id", "ignore_missing": true } },
{ "rename": { "field": "message2.location", "target_field": "location", "ignore_missing": true } },
{ "rename": { "field": "message2.manager", "target_field": "manager", "ignore_missing": true } },
{ "rename": { "field": "message2.predecoder", "target_field": "predecoder", "ignore_missing": true } },
{ "rename": { "field": "message2.timestamp", "target_field": "timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.previous_log", "target_field": "log.previous_log", "ignore_missing": true } },
{ "rename": { "field": "message2.previous_output", "target_field": "log.previous_output", "ignore_missing": true } },
{ "rename": { "field": "message2.rule", "target_field": "rule", "ignore_missing": true } },
{ "rename": { "field": "data.command", "target_field": "command", "ignore_missing": true } },
{ "rename": { "field": "data.dstip", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "data.dstport", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "data.dstuser", "target_field": "user.escalated", "ignore_missing": true } },
{ "rename": { "field": "data.srcip", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationIp", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationPort", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.image", "target_field": "image_path", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.parentImage", "target_field": "parent_image_path", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourceHostname", "target_field": "source.hostname", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourceIp", "target_field": "source_ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } },
{ "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } },
{ "set": { "if": "ctx.rule.level == 1", "field": "rule.category", "value": "None" } },
{ "set": { "if": "ctx.rule.level == 2", "field": "rule.category", "value": "System low priority notification" } },
{ "set": { "if": "ctx.rule.level == 3", "field": "rule.category", "value": "Successful/authorized event" } },
{ "set": { "if": "ctx.rule.level == 4", "field": "rule.category", "value": "System low priority error" } },
{ "set": { "if": "ctx.rule.level == 5", "field": "rule.category", "value": "User generated error" } },
{ "set": { "if": "ctx.rule.level == 6", "field": "rule.category", "value": "Low relevance attack" } },
{ "set": { "if": "ctx.rule.level == 7", "field": "rule.category", "value": "\"Bad word\" matching" } },
{ "set": { "if": "ctx.rule.level == 8", "field": "rule.category", "value": "First time seen" } },
{ "set": { "if": "ctx.rule.level == 9", "field": "rule.category", "value": "Error from invalid source" } },
{ "set": { "if": "ctx.rule.level == 10", "field": "rule.category", "value": "Multiple user generated errors" } },
{ "set": { "if": "ctx.rule.level == 11", "field": "rule.category", "value": "Integrity checking warning" } },
{ "set": { "if": "ctx.rule.level == 12", "field": "rule.category", "value": "High importance event" } },
{ "set": { "if": "ctx.rule.level == 13", "field": "rule.category", "value": "Unusal error (high importance)" } },
{ "set": { "if": "ctx.rule.level == 14", "field": "rule.category", "value": "High importance security event" } },
{ "set": { "if": "ctx.rule.level == 15", "field": "rule.category", "value": "Severe attack" } },
{ "append": { "if": "ctx.rule.level != null", "field": "tags", "value": ["alert"] } },
{ "remove": { "field": [ "predecoder", "decoder" ], "ignore_missing": true, "ignore_failure": false } },
{ "pipeline": { "name": "common" } }
]
}

12
salt/elasticsearch/files/ingest/strelka.file Normal file
View File

@@ -0,0 +1,12 @@
{
"description" : "strelka",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } },
{ "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } },
{ "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } },
{ "rename": { "field": "scan.hash", "target_field": "file.hash", "ignore_missing": true } },
{ "remove": { "field": ["host", "path"], "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]
}

11
salt/elasticsearch/files/ingest/suricata.alert Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "suricata.alert",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename":{ "field": "message2.comunity_id", "target_field": "network.comunity_id", "ignore_failure": true } },
{ "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } },
{ "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } },
{ "rename":{ "field": "rule.ref", "target_field": "rule.version", "ignore_failure": true } },
{ "pipeline": { "name": "suricata.common" } }
]
}

14
salt/elasticsearch/files/ingest/suricata.common Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "suricata.common",
"processors" : [
{ "rename":{ "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } },
{ "rename":{ "field": "message2.flow_id", "target_field": "event.id", "ignore_failure": true } },
{ "rename":{ "field": "message2.comunity_id", "target_field": "network.comunity_id", "ignore_failure": true } },
{ "rename":{ "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } },
{ "rename":{ "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } },
{ "rename":{ "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } },
{ "rename":{ "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } },
{ "remove": { "field": ["message2"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } }
]
}

4
salt/elasticsearch/files/ingest/zeek.common
View File

@@ -1,7 +1,7 @@
{
"description" : "zeek.common",
"processors" : [
{ "rename": { "field": "@timestamp", "target_field": "es.timestamp", "ignore_missing": true } },
{ "rename": { "field": "@timestamp", "target_field": "ingest.timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.uid", "target_field": "log.id.uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
@@ -15,8 +15,6 @@
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "set": { "field": "server.port", "value": "{{destination.port}}" } },
{ "set": { "field": "event.module", "value": "zeek" } },
{ "grok": { "field": "event_type", "patterns": ["zeek.%{WORD:event.dataset}"] } },
{ "date": { "field": "message2.ts", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "ignore_failure": true } },
{ "remove": { "field": ["message2.ts", "path"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } }

16
salt/elasticsearch/files/ingest/zeek.conn
View File

@@ -1,7 +1,7 @@
{
"description" : "zeek.conn",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": false } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "network.protocol", "ignore_missing": true } },
@@ -21,20 +21,6 @@
{ "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } },
{ "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.connection.bytes.total = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } },
{ "set": { "if": "ctx.connection.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
{ "set": { "if": "ctx.connection.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } },
{ "set": { "if": "ctx.connection.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
{ "set": { "if": "ctx.connection.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
{ "set": { "if": "ctx.connection.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
{ "set": { "if": "ctx.connection.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } },
{ "set": { "if": "ctx.connection.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
{ "set": { "if": "ctx.connection.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } },
{ "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
{ "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
{ "set": { "if": "ctx.connection.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
{ "set": { "if": "ctx.connection.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
{ "set": { "if": "ctx.connection.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
{ "pipeline": { "name": "zeek.common" } }
]
}

5
salt/elasticsearch/files/ingest/zeek.dpd
View File

@@ -3,7 +3,6 @@
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
@@ -13,8 +12,8 @@
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzer", "target_field": "analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.failure_reason", "target_field": "failure_reason", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzer", "target_field": "observer.analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.failure_reason", "target_field": "error.reason", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

1
salt/elasticsearch/files/ingest/zeek.tunnel
View File

@@ -2,7 +2,6 @@
"description" : "zeek.tunnel",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "set": { "field": "event_type", "value": "zeek.tunnels" } },
{ "pipeline": { "name": "zeek.tunnels" } }
]
}

4
salt/elasticsearch/files/ingest/zeek.tunnels
View File

@@ -12,8 +12,8 @@
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_type", "target_field": "tunnel_type", "ignore_missing": true } },
{ "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_type", "target_field": "tunnel.type", "ignore_missing": true } },
{ "rename": { "field": "message2.action", "target_field": "event.action", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

1
salt/elasticsearch/files/ingest/zeek.weird
View File

@@ -2,7 +2,6 @@
"description" : "zeek.weird",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.name", "target_field": "weird.name", "ignore_missing": true } },
{ "rename": { "field": "message2.addl", "target_field": "weird.additional_info", "ignore_missing": true } },
{ "rename": { "field": "message2.notice", "target_field": "weird.notice", "ignore_missing": true } },

6
salt/elasticsearch/init.sls
View File

@@ -143,3 +143,9 @@ so-elasticsearch-pipelines-file:
so-elasticsearch-pipelines:
cmd.run:
- name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }}
so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates
- cwd: /

92
salt/filebeat/etc/filebeat.yml
View File

@@ -80,9 +80,13 @@ filebeat.prospectors:
paths:
- /nsm/zeek/logs/current/{{ LOGNAME }}.log
fields:
type: bro_{{ LOGNAME }}
module: zeek
dataset: {{ LOGNAME }}
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
tags: ["bro"]
clean_removed: false
close_removed: false
@@ -93,8 +97,13 @@ filebeat.prospectors:
paths:
- /suricata/eve.json
fields:
type: ids
engine: suricata
module: suricata
dataset: alert
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
@@ -106,19 +115,25 @@ filebeat.prospectors:
paths:
- /wazuh/alerts/alerts.json
fields:
type: ossec
module: ossec
dataset: alert
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
- type: log
paths:
- /wazuh/archives/archives.json
fields:
type: ossec_archive
fields_under_root: true
clean_removed: false
close_removed: false
# - type: log
# paths:
# - /wazuh/archives/archives.json
# fields:
# type: ossec_archive
# fields_under_root: true
# clean_removed: false
# close_removed: false
{%- endif %}
@@ -129,6 +144,11 @@ filebeat.prospectors:
- /osquery/logs/result.log
fields:
type: osquery
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
@@ -141,34 +161,56 @@ filebeat.prospectors:
paths:
- /opt/so/log/strelka/strelka.log
fields:
type: strelka
module: strelka
dataset: file
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
clean_removed: false
close_removed: false
{%- endif %}
#----------------------------- Logstash output ---------------------------------
output.logstash:
# Boolean flag to enable or disable the output module.
output.elasticsearch:
enabled: true
hosts: ["{{ MASTER }}:9200"]
pipelines:
- pipeline: "%{[module]}.%{[dataset]}"
indices:
- index: "so-zeek-%{+yyyy.MM.dd}"
when.contains:
module: "zeek"
- index: "so-ids-%{+yyyy.MM.dd}"
when.contains:
module: "suricata"
- index: "so-ossec-%{+yyyy.MM.dd}"
when.contains:
module: "ossec"
#output.logstash:
# Boolean flag to enable or disable the output module.
#enabled: true
# The Logstash hosts
hosts: ["{{ MASTER }}:5644"]
#hosts: ["{{ MASTER }}:5644"]
# Number of workers per Logstash host.
worker: 1
#worker: 1
# Set gzip compression level.
compression_level: 3
#compression_level: 3
# Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
ssl.enabled: true
#ssl.enabled: true
# Configure SSL verification mode. If `none` is configured, all server hosts
# and certificates will be accepted. In this mode, SSL based connections are
# susceptible to man-in-the-middle attacks. Use only for testing. Default is
# `full`.
ssl.verification_mode: full
#ssl.verification_mode: full
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# 1.2 are enabled.
@@ -176,16 +218,14 @@ output.logstash:
# Optional SSL configuration options. SSL is off by default.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
#ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
# Certificate for SSL client authentication
ssl.certificate: "/usr/share/filebeat/filebeat.crt"
#ssl.certificate: "/usr/share/filebeat/filebeat.crt"
# Client Certificate Key
ssl.key: "/usr/share/filebeat/filebeat.key"
#ssl.key: "/usr/share/filebeat/filebeat.key"
# Elasticsearch template settings
#setup.template.settings:
# A dictionary of settings to place into the settings.index dictionary
# of the Elasticsearch template. For more details, please check

1288
salt/logstash/pipelines/templates/so/beats-template.json
View File

File diff suppressed because it is too large Load Diff

3619
salt/logstash/pipelines/templates/so/logstash-bro-template.json
View File

File diff suppressed because it is too large Load Diff

3486
salt/logstash/pipelines/templates/so/logstash-ossec-template.json
View File

File diff suppressed because it is too large Load Diff

24
salt/logstash/pipelines/templates/so/logstash-strelka-template.json
View File

@@ -1,24 +0,0 @@
{
"index_patterns": ["logstash-strelka-*"],
"version":50001,
"order" : 0,
"settings":{
"number_of_replicas":0,
"number_of_shards":1,
"index.refresh_interval":"30s"
},
"mappings":{
"doc":{
"dynamic": false,
"date_detection": false,
"properties":{
"@timestamp":{
"type":"date"
},
"@version":{
"type":"keyword"
}
}
}
}
}

3619
salt/logstash/pipelines/templates/so/logstash-template.json
View File

File diff suppressed because it is too large Load Diff

355
salt/logstash/pipelines/templates/so/so-common-template.json Normal file
View File

@@ -0,0 +1,355 @@
{
"index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-ossec-*", "so-strelka", "so-beats-*"],
"version":50001,
"order" : 10,
"settings":{
"number_of_replicas":0,
"number_of_shards":1,
"index.refresh_interval":"30s"
},
"mappings":{
"doc":{
"dynamic": false,
"date_detection": false,
"properties":{
"@timestamp":{
"type":"date"
},
"@version":{
"type":"keyword"
},
"geoip":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"destination_geo":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"source_geo":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"agent":{
"type":"object",
"dynamic": true
},
"as":{
"type":"object",
"dynamic": true
},
"alert":{
"type":"object",
"dynamic": true
},
"client":{
"type":"object",
"dynamic": true
},
"cloud":{
"type":"object",
"dynamic": true
},
"code_signature":{
"type":"object",
"dynamic": true
},
"connection":{
"type":"object",
"dynamic": true
},
"container":{
"type":"object",
"dynamic": true
},
"data":{
"type":"object",
"dynamic": true
},
"dce_rpc":{
"type":"object",
"dynamic": true
},
"destination":{
"type":"object",
"dynamic": true
},
"dhcp":{
"type":"object",
"dynamic": true
},
"dnp3":{
"type":"object",
"dynamic": true
},
"dns":{
"type":"object",
"dynamic": true
},
"dll":{
"type":"object",
"dynamic": true
},
"ecs":{
"type":"object",
"dynamic": true
},
"error":{
"type":"object",
"dynamic": true
},
"event":{
"type":"object",
"dynamic": true
},
"file":{
"type":"object",
"dynamic": true
},
"flow":{
"type":"object",
"dynamic": true
},
"ftp":{
"type":"object",
"dynamic": true
},
"geo":{
"type":"object",
"dynamic": true
},
"group":{
"type":"object",
"dynamic": true
},
"hash":{
"type":"object",
"dynamic": true
},
"host":{
"type":"object",
"dynamic": true
},
"http":{
"type":"object",
"dynamic": true
},
"ingest":{
"type":"object",
"dynamic": true
},
"interface":{
"type":"object",
"dynamic": true
},
"kerberos":{
"type":"object",
"dynamic": true
},
"log":{
"type":"object",
"dynamic": true
},
"manager":{
"type":"object",
"dynamic": true
},
"modbus":{
"type":"object",
"dynamic": true
},
"network":{
"type":"object",
"dynamic": true
},
"ntlm":{
"type":"object",
"dynamic": true
},
"observer":{
"type":"object",
"dynamic": true
},
"organization":{
"type":"object",
"dynamic": true
},
"os":{
"type":"object",
"dynamic": true
},
"package":{
"type":"object",
"dynamic": true
},
"pe":{
"type":"object",
"dynamic": true
},
"process":{
"type":"object",
"dynamic": true
},
"radius":{
"type":"object",
"dynamic": true
},
"rdp":{
"type":"object",
"dynamic": true
},
"registry":{
"type":"object",
"dynamic": true
},
"related":{
"type":"object",
"dynamic": true
},
"rfb":{
"type":"object",
"dynamic": true
},
"rule":{
"type":"object",
"dynamic": true
},
"server":{
"type":"object",
"dynamic": true
},
"service":{
"type":"object",
"dynamic": true
},
"sip":{
"type":"object",
"dynamic": true
},
"smb":{
"type":"object",
"dynamic": true
},
"smtp":{
"type":"object",
"dynamic": true
},
"snmp":{
"type":"object",
"dynamic": true
},
"socks":{
"type":"object",
"dynamic": true
},
"software":{
"type":"object",
"dynamic": true
},
"source":{
"type":"object",
"dynamic": true
},
"ssh":{
"type":"object",
"dynamic": true
},
"ssl":{
"type":"object",
"dynamic": true
},
"tags":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
},
"threat":{
"type":"object",
"dynamic": true
},
"tls":{
"type":"object",
"dynamic": true
},
"trace":{
"type":"object",
"dynamic": true
},
"tunnel":{
"type":"object",
"dynamic": true
},
"user":{
"type":"object",
"dynamic": true
},
"user_agent":{
"type":"object",
"dynamic": true
},
"version":{
"type":"object",
"dynamic": true
},
"vlan":{
"type":"object",
"dynamic": true
},
"vulnerability":{
"type":"object",
"dynamic": true
},
"weird":{
"type":"object",
"dynamic": true
},
"x509":{
"type":"object",
"dynamic": true
}
}
}
}
}

3466
salt/logstash/pipelines/templates/so/so-ossec-template.json
View File

File diff suppressed because it is too large Load Diff

24
salt/logstash/pipelines/templates/so/so-strelka-template.json
View File

@@ -1,24 +0,0 @@
{
"index_patterns": ["so-strelka-*"],
"version":50001,
"order" : 0,
"settings":{
"number_of_replicas":0,
"number_of_shards":1,
"index.refresh_interval":"30s"
},
"mappings":{
"doc":{
"dynamic": false,
"date_detection": false,
"properties":{
"@timestamp":{
"type":"date"
},
"@version":{
"type":"keyword"
}
}
}
}
}

3600
salt/logstash/pipelines/templates/so/so-template.json
View File

File diff suppressed because it is too large Load Diff

3591
salt/logstash/pipelines/templates/so/so-zeek-template.json
View File

File diff suppressed because it is too large Load Diff

2
salt/top.sls
View File

@@ -60,7 +60,7 @@ base:
- wazuh
{%- endif %}
- elasticsearch
- logstash
- filebeat
- kibana
- pcap
- suricata