From 84e54a8faef8a716b287a7cd10d051bca150d1de Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 11 Mar 2020 12:09:34 +0000 Subject: [PATCH 1/5] update Eval pillar --- pillar/logstash/eval.sls | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/pillar/logstash/eval.sls b/pillar/logstash/eval.sls index f6cf222b3..df804440c 100644 --- a/pillar/logstash/eval.sls +++ b/pillar/logstash/eval.sls @@ -5,11 +5,6 @@ logstash: - so/0800_input_eval.conf - so/1002_preprocess_json.conf - so/1033_preprocess_snort.conf - - so/6500_ossec.conf - - so/6501_ossec_sysmon.conf - - so/6502_ossec_autoruns.conf - - so/6600_winlogbeat_sysmon.conf - - so/6700_winlogbeat.conf - so/7100_osquery_wel.conf - so/8999_postprocess_rename_type.conf - so/9000_output_bro.conf.jinja @@ -21,8 +16,8 @@ logstash: - so/9600_output_ossec.conf.jinja - so/9700_output_strelka.conf.jinja templates: - - so/beats-template.json - - so/logstash-ossec-template.json - - so/logstash-strelka-template.json - - so/logstash-template.json - - so/logstash-bro-template.json + - so/so-beats-template.json + - so/so-ossec-template.json + - so/so-strelka-template.json + - so/so-template.json + - so/so-zeek-template.json From 70e78a064297f445f647ca60fcdf61519a4067f5 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 11 Mar 2020 12:12:32 +0000 Subject: [PATCH 2/5] add renamed templates --- .../templates/so/so-beats-template.json | 1288 ++++++ .../templates/so/so-ossec-template.json | 3466 ++++++++++++++++ .../templates/so/so-strelka-template.json | 24 + .../pipelines/templates/so/so-template.json | 3600 +++++++++++++++++ .../templates/so/so-zeek-template.json | 3599 ++++++++++++++++ 5 files changed, 11977 insertions(+) create mode 100644 salt/logstash/pipelines/templates/so/so-beats-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-ossec-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-strelka-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-template.json create mode 100644 salt/logstash/pipelines/templates/so/so-zeek-template.json diff --git a/salt/logstash/pipelines/templates/so/so-beats-template.json b/salt/logstash/pipelines/templates/so/so-beats-template.json new file mode 100644 index 000000000..f6a9c2d27 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-beats-template.json @@ -0,0 +1,1288 @@ +{ + "index_patterns": [ + "so-beats-*" + ], + "mappings": { + "doc": { + "_meta": { + "version": "6.1.3" + }, + "date_detection": false, + "dynamic_templates": [ + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "@timestamp": { + "type": "date" + }, + "event_data": { + "type":"object", + "dynamic": true + }, + "beat_host": { + "type":"object", + "dynamic": true + }, + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "beat": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "username":{ + "type":"text", + "fields": { + "keyword":{ + "type":"keyword" + } + } + }, + "computer_name": { + "type": "text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "docker": { + "properties": { + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "error": { + "properties": { + "code": { + "type": "long" + }, + "message": { + "norms": false, + "type": "text" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_id": { + "type": "long" + }, + "fields": { + "type": "object" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "kubernetes": { + "properties": { + "annotations": { + "type": "object" + }, + "container": { + "properties": { + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "pod": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "message_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "meta": { + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_id": { + "type": "long" + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "record_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "identifier": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "user_data": { + "type": "object", + "dynamic": "true" + }, + "version": { + "type": "keyword" + }, + "xml": { + "norms": false, + "type": "text" + }, + "apache2": { + "properties": { + "access": { + "properties": { + "agent": { + "norms": false, + "type": "text" + }, + "body_sent": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "geoip": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_code": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "major": { + "type": "long" + }, + "minor": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_major": { + "type": "long" + }, + "os_minor": { + "type": "long" + }, + "os_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "patch": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "type": "long" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "tid": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "auditd": { + "properties": { + "log": { + "properties": { + "a0": { + "ignore_above": 1024, + "type": "keyword" + }, + "acct": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "item": { + "ignore_above": 1024, + "type": "keyword" + }, + "items": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ppid": { + "ignore_above": 1024, + "type": "keyword" + }, + "record_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "res": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence": { + "type": "long" + } + } + } + } + }, + "fileset": { + "properties": { + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "icinga": { + "properties": { + "debug": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "main": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "startup": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "kafka": { + "properties": { + "log": { + "properties": { + "class": { + "norms": false, + "type": "text" + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "norms": false, + "type": "text" + }, + "message": { + "norms": false, + "type": "text" + } + } + } + } + } + } + }, + "logstash": { + "properties": { + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_event": { + "type": "object" + }, + "message": { + "norms": false, + "type": "text" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "norms": false, + "type": "text" + } + } + }, + "slowlog": { + "properties": { + "event": { + "norms": false, + "type": "text" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params": { + "norms": false, + "type": "text" + }, + "plugin_params_object": { + "type": "object" + }, + "plugin_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "norms": false, + "type": "text" + }, + "took_in_millis": { + "type": "long" + }, + "took_in_nanos": { + "type": "long" + } + } + } + } + }, + "mysql": { + "properties": { + "error": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "thread_id": { + "type": "long" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "type": "long" + }, + "ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "lock_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "query_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "rows_examined": { + "type": "long" + }, + "rows_sent": { + "type": "long" + }, + "timestamp": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "nginx": { + "properties": { + "access": { + "properties": { + "agent": { + "norms": false, + "type": "text" + }, + "body_sent": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "geoip": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_code": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "major": { + "type": "long" + }, + "minor": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_major": { + "type": "long" + }, + "os_minor": { + "type": "long" + }, + "os_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "patch": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "connection_id": { + "type": "long" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "pid": { + "type": "long" + }, + "tid": { + "type": "long" + } + } + } + } + }, + "offset": { + "type": "long" + }, + "postgresql": { + "properties": { + "log": { + "properties": { + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "float" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread_id": { + "type": "long" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "prospector": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "read_timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "redis": { + "properties": { + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "pid": { + "type": "long" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stream": { + "ignore_above": 1024, + "type": "keyword" + }, + "system": { + "properties": { + "auth": { + "properties": { + "groupadd": { + "properties": { + "gid": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "program": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh": { + "properties": { + "dropped_ip": { + "type": "ip" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sudo": { + "properties": { + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "useradd": { + "properties": { + "gid": { + "type": "long" + }, + "home": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "shell": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "type": "long" + } + } + } + } + }, + "syslog": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "ignore_above": 1024, + "type": "keyword" + }, + "program": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "traefik": { + "properties": { + "access": { + "properties": { + "agent": { + "norms": false, + "type": "text" + }, + "backend_url": { + "norms": false, + "type": "text" + }, + "body_sent": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "frontend_name": { + "norms": false, + "type": "text" + }, + "geoip": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_count": { + "type": "long" + }, + "response_code": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "major": { + "type": "long" + }, + "minor": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_major": { + "type": "long" + }, + "os_minor": { + "type": "long" + }, + "os_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "patch": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + }, + "order": 1, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": 10000 + } + }, + "number_of_replicas": 0, + "number_of_shards": 1, + "refresh_interval": "30s" + } + } +} diff --git a/salt/logstash/pipelines/templates/so/so-ossec-template.json b/salt/logstash/pipelines/templates/so/so-ossec-template.json new file mode 100644 index 000000000..8012eced8 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-ossec-template.json @@ -0,0 +1,3466 @@ +{ + "index_patterns": ["so-ossec*"], + "version":50001, + "order" : 1, + "settings":{ + "index": { + "mapping": { + "total_fields": { + "limit": 10000 + } + } + }, + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + }, + "mappings":{ + "doc":{ + "dynamic": false, + "date_detection": false, + "properties":{ + "@timestamp":{ + "type":"date" + }, + "@version":{ + "type":"keyword" + }, + "geoip":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "destination_geo":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "source_geo":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "signature_info":{ + "type":"keyword" + }, + "aa":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ack":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "action":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "additional_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "age":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "agent":{ + "type":"object", + "dynamic": true + }, + "alert":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "alert_level":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "analyzer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "answers":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "assigned_ip":{ + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "auth":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "authentication_attempts":{ + "type":"long" + }, + "authentication_method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "authentication_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "basic_constraints":{ + "type":"object", + "properties":{ + "path_len": { + "type": "text" + } + } + }, + "basic_constraints_ca":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "basic_constraints_path_length":{ + "type":"long" + }, + "bound_port":{ + "type":"long" + }, + "call_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "category":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cc":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_chain_count":{ + "type":"long" + }, + "certificate_chain_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_common_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_common_name_frequency_score":{ + "type":"long" + }, + "certificate_common_name_length":{ + "type":"long" + }, + "certificate_count":{ + "type":"long" + }, + "certificate_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_curve":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_exponent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_issuer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_key_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_key_length":{ + "type":"long" + }, + "certificate_key_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_locality":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_not_valid_after":{ + "type":"date" + }, + "certificate_not_valid_before":{ + "type":"date" + }, + "certificate_number_days_valid":{ + "type":"long" + }, + "certificate_organization":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_organization_unit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_permanent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_serial":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_serial_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_signing_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "checksum":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cipher":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cipher_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "class":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "classification":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client":{ + "type":"object", + "dynamic": true + }, + "client_build":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_chain_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_digital_product_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_issuer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_major_version":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_minor_version":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "community":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "company":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "compile_ts":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "compression_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connect_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connection_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connection_state_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "content_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cookie":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "creation_date":{ + "type":"date" + }, + "creation_time":{ + "type":"date" + }, + "current_directory":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "curve":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "data":{ + "type":"object", + "dynamic": true + }, + "data_channel_destination_ip":{ + "type":"ip" + }, + "data_channel_destination_port":{ + "type":"long" + }, + "data_channel_passive":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "data_channel_source_ip":{ + "type":"ip" + }, + "data_length":{ + "type":"long" + }, + "date":{ + "type":"text" + }, + "dcc_file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dcc_file_size":{ + "type":"long" + }, + "dcc_mime_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "decoder":{ + "type":"object", + "dynamic": true + }, + "depth":{ + "type":"long" + }, + "description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "desktop_height":{ + "type":"long" + }, + "desktop_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "desktop_width":{ + "type":"long" + }, + "dest_is_ipv6":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_city":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.city_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.continent_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.dma_code":{ + "type":"long" + }, + "destination_geo.ip":{ + "type":"ip" + }, + "destination_geo.latitude":{ + "type":"long" + }, + "destination_geo.location":{ + "type":"geo_point" + }, + "destination_geo.longitude":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.postal_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.region_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.country_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.region_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.timezone":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_ip":{ + "type":"ip" + }, + "destination_ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_latitude":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_longitude":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_port":{ + "type":"long" + }, + "destination_port_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_region":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "details":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dir":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "direction":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "display_string":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "domain_age":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "domain_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dropped":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "duration":{ + "type":"long" + }, + "valid_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "enabled":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "encryption_level":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "encryption_method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "endpoint":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "entry":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "entry_location":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "error_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "escalated_user":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "established":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "event_id":{ + "type":"long" + }, + "event_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "event_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "exception":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "extracted":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "extracted_cutoff":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "facility":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fc_reply":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fc_request":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_ip":{ + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_mime_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_size":{ + "type":"long" + }, + "first_received":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "flow_label":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "forwardable":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "framed_addr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "freq_virtual_host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "frequency_scores":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ftp_argument":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ftp_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "full_log":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "function":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "geoip.ip":{ + "type":"ip" + }, + "geoip.latitude":{ + "type":"long" + }, + "geoip.location":{ + "type":"geo_point" + }, + "geoip.longitude":{ + "type":"long" + }, + "get_bulk_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "get_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "get_responses":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "gid":{ + "type":"long" + }, + "has_cert_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_debug_data":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_export_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_import_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "height":{ + "type":"long" + }, + "helo":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "highest_registered_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "highest_registered_domain_frequency_score":{ + "type":"long" + }, + "history":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hop_limit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host":{ + "type":"object", + "dynamic": true + }, + "host_key":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host_key_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "iin":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "image_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "in_reply_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "indicator":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "indicator_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "info_code":{ + "type":"long" + }, + "info_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "initiated":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "integrity_level":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "interface":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ip_version":{ + "type":"long" + }, + "ipv4_ecn":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_flags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_offset":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol_length":{ + "type":"long" + }, + "ipv4_tos":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_ttl":{ + "type":"long" + }, + "irc_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "irc_username":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_64bit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_exe":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_orig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_source_ipv6":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_webmail":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_common_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_common_name_frequency_score":{ + "type":"long" + }, + "issuer_common_name_length":{ + "type":"long" + }, + "issuer_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_distinguished_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_locality":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_organization":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_organization_frequency_score":{ + "type":"long" + }, + "issuer_organization_unit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_serial_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "kerberos_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "kex_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "keyboard_layout":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "last_alert":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "last_reply":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "launch_string":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "lease_time":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "length":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "local_orig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "local_respond":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "location":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "log_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "log_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logged":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logon_guid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logon_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logstash_time":{ + "type":"long" + }, + "mac":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mac_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "machine":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mail_date":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mail_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "manager":{ + "type":"object", + "dynamic": true + }, + "matched":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "md5":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mimetype":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "missed_bytes":{ + "type":"long" + }, + "missing_bytes":{ + "type":"long" + }, + "msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_argument":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "n":{ + "type":"long" + }, + "name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "named_pipe":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "native_file_system":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "next_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "nick":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "note":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "notice":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ntlm_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "num_packets":{ + "type":"long" + }, + "object_size":{ + "type":"long" + }, + "operation":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "options":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_filenames":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_mime_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "original_bytes":{ + "type":"long" + }, + "original_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "original_ip_bytes":{ + "type":"long" + }, + "original_packets":{ + "type":"long" + }, + "os":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ossec_agent_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ossec_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "overflow_bytes":{ + "type":"long" + }, + "p":{ + "type":"long" + }, + "parent_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_domain_frequency_score":{ + "type":"long" + }, + "parent_domain_length":{ + "type":"long" + }, + "parent_image_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_guid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "password":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "peer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "peer_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pesha1":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pesha256":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pid":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "port":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "predecoder":{ + "type":"object", + "dynamic": true + }, + "prev_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "priority":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_arguments":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_guid":{ + "type":"long" + }, + "process_id":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "profile":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "program":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "proxied":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query_class":{ + "type":"long" + }, + "query_class_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query_length":{ + "type":"long" + }, + "query_type":{ + "type":"long" + }, + "query_type_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ra":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rcode":{ + "type":"long" + }, + "rcode_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rd":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reason":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "recipient_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "referrer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rejected":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "remote_ip":{ + "type":"ip" + }, + "remote_location":{ + "type":"object", + "properties":{ + "country_code": { + "type": "text" + } + } + }, + "renewable":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_body_len":{ + "type":"long" + }, + "request_body_length":{ + "type":"long" + }, + "request_from":{ + "type":"text" + }, + "request_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_port":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_color_depth":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_resource":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_filenames":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_mime_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "respond_bytes":{ + "type":"long" + }, + "respond_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "respond_ip_bytes":{ + "type":"long" + }, + "respond_packets":{ + "type":"long" + }, + "response":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_body_len":{ + "type":"long" + }, + "response_body_length":{ + "type":"long" + }, + "response_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "result":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resumed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rev":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rows":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rtt":{ + "type":"float", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "wazuh-rule":{ + "type":"object", + "dynamic": true + }, + "rule_number":{ + "type":"long" + }, + "rule_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "san_dns":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "second_received":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "section_names":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "security_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seen_bytes":{ + "type":"long" + }, + "seen_node":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seen_where":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sensor_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seq":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sequence_number":{ + "type":"long" + }, + "server":{ + "type":"object", + "dynamic": true + }, + "server_certificate_fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_major_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_minor_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_name_frequency_score":{ + "type":"long" + }, + "server_name_length":{ + "type":"long" + }, + "service":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "set_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "severity":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sha1":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sha256":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "share_flag":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "share_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sid":{ + "type":"long" + }, + "signer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "site":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "size":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "software_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.city_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.continent_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.dma_code":{ + "type":"long" + }, + "source_geo.ip":{ + "type":"ip" + }, + "source_geo.latitude":{ + "type":"long" + }, + "source_geo.location":{ + "type":"geo_point" + }, + "source_geo.longitude":{ + "type":"long" + }, + "source_geo.postal_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.region_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.region_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.timezone":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_ip":{ + "type":"ip" + }, + "source_ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_port":{ + "type":"long" + }, + "source_port_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sources":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status_code":{ + "type":"long" + }, + "status_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status_msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sub_msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sub_rule_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subdomain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subdomain_frequency_score":{ + "type":"long" + }, + "subdomain_length":{ + "type":"long" + }, + "subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subsystem":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "suppress_for":{ + "type":"long" + }, + "syscheck":{ + "type":"object", + "dynamic": true + }, + "syslog-facility":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-host_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-legacy_msghdr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-pid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-priority":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-sourceip":{ + "type":"ip" + }, + "syslog-tags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sysmon_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "target_filename":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tc":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tcp_flags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "terminal_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "valid_till":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + + "timed_out":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_accessed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_changed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_created":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_modified":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tld.subdomain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tls":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "top_level_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "total_bytes":{ + "type":"long" + }, + "tracker_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "trans_depth":{ + "type":"long" + }, + "transaction_id":{ + "type":"long" + }, + "ttls":{ + "type":"text" + }, + "tty":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tunnel_parents":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tunnel_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "unparsed_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "up_since":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "urg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uri":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uri_length":{ + "type":"long" + }, + "username":{ + "type":"text", + "fields": { + "keyword":{ + "type":"keyword" + } + } + }, + "user_agent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "useragent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "useragent_length":{ + "type":"long" + }, + "uses_aslr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_code_integrity":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_dep":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_seh":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "validation_status":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "value":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_additional_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_major":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor2":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor3":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "virtual_host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "virtual_host_frequency_score":{ + "type":"long" + }, + "virtual_host_length":{ + "type":"long" + }, + "warning":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "width":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "window":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "x_originating_ip":{ + "type":"ip" + }, + "year":{ + "type":"long" + }, + "z":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + } + } + } + } +} diff --git a/salt/logstash/pipelines/templates/so/so-strelka-template.json b/salt/logstash/pipelines/templates/so/so-strelka-template.json new file mode 100644 index 000000000..80d35f7e5 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-strelka-template.json @@ -0,0 +1,24 @@ +{ + "index_patterns": ["so-strelka-*"], + "version":50001, + "order" : 0, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + }, + "mappings":{ + "doc":{ + "dynamic": false, + "date_detection": false, + "properties":{ + "@timestamp":{ + "type":"date" + }, + "@version":{ + "type":"keyword" + } + } + } + } +} diff --git a/salt/logstash/pipelines/templates/so/so-template.json b/salt/logstash/pipelines/templates/so/so-template.json new file mode 100644 index 000000000..b2d48f555 --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-template.json @@ -0,0 +1,3600 @@ +{ + "index_patterns": ["so-ids-*", "so-firewall-*", "so-syslog-*", "so-zeek-*", "so-import-*", "so-beats-*"], + "version":50001, + "order" : 0, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + }, + "mappings":{ + "doc":{ + "dynamic": false, + "date_detection": false, + "properties":{ + "@timestamp":{ + "type":"date" + }, + "@version":{ + "type":"keyword" + }, + "geoip":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "destination_geo":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "source_geo":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "signature_info":{ + "type":"keyword" + }, + "aa":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ack":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "action":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "additional_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "age":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "alert":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "alert_level":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "analyzer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "answers":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "assigned_ip":{ + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "auth":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "authentication_attempts":{ + "type":"long" + }, + "authentication_method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "authentication_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "basic_constraints":{ + "type":"object", + "properties":{ + "path_len": { + "type": "text" + } + } + }, + "basic_constraints_ca":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "basic_constraints_path_length":{ + "type":"long" + }, + "bound_port":{ + "type":"long" + }, + "call_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "category":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cc":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_chain_count":{ + "type":"long" + }, + "certificate_chain_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_common_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_common_name_frequency_score":{ + "type":"long" + }, + "certificate_common_name_length":{ + "type":"long" + }, + "certificate_count":{ + "type":"long" + }, + "certificate_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_curve":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_exponent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_issuer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_key_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_key_length":{ + "type":"long" + }, + "certificate_key_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_locality":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_not_valid_after":{ + "type":"date" + }, + "certificate_not_valid_before":{ + "type":"date" + }, + "certificate_number_days_valid":{ + "type":"long" + }, + "certificate_organization":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_organization_unit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_permanent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_serial":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_serial_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_signing_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "checksum":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cipher":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cipher_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "class":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "classification":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client":{ + "type":"object", + "dynamic": true + }, + "client_build":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_chain_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_digital_product_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_fqdn":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_issuer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_major_version":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_minor_version":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "community":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "company":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "compile_ts":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "compression_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connect_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connection_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connection_state_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "content_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cookie":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "creation_date":{ + "type":"date" + }, + "creation_time":{ + "type":"date" + }, + "client_host_key_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "current_directory":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "curve":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "data_channel_destination_ip":{ + "type":"ip" + }, + "data_channel_destination_port":{ + "type":"long" + }, + "data_channel_passive":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "data_channel_source_ip":{ + "type":"ip" + }, + "data_length":{ + "type":"long" + }, + "date":{ + "type":"text" + }, + "dcc_file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dcc_file_size":{ + "type":"long" + }, + "dcc_mime_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "depth":{ + "type":"long" + }, + "description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "desktop_height":{ + "type":"long" + }, + "desktop_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "desktop_width":{ + "type":"long" + }, + "dest_is_ipv6":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination":{ + "type":"object", + "dynamic": true + }, + "destination_city":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.city_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.continent_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.dma_code":{ + "type":"long" + }, + "destination_geo.ip":{ + "type":"ip" + }, + "destination_geo.latitude":{ + "type":"long" + }, + "destination_geo.location":{ + "type":"geo_point" + }, + "destination_geo.longitude":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.postal_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.region_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.country_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.region_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.timezone":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_ip":{ + "type":"ip" + }, + "destination_ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_latitude":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_longitude":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_port":{ + "type":"long" + }, + "destination_port_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_region":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "details":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dir":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "direction":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "display_string":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "domain_age":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "domain_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dropped":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "duration":{ + "type":"long" + }, + "valid_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "enabled":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "encryption_level":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "encryption_method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "endpoint":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "entry":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "entry_location":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "error_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "escalated_user":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "established":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "event_id":{ + "type":"long" + }, + "event_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "event_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "exception":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "extracted":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "extracted_cutoff":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "facility":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fc_reply":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fc_request":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_ip":{ + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_mime_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_size":{ + "type":"long" + }, + "first_received":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "flow_label":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "forwardable":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "framed_addr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "freq_virtual_host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "frequency_scores":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ftp_argument":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ftp_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "function":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "geoip.ip":{ + "type":"ip" + }, + "geoip.latitude":{ + "type":"long" + }, + "geoip.location":{ + "type":"geo_point" + }, + "geoip.longitude":{ + "type":"long" + }, + "get_bulk_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "get_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "get_responses":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "gid":{ + "type":"long" + }, + "has_cert_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_debug_data":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_export_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_import_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_server":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_server_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "height":{ + "type":"long" + }, + "helo":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "highest_registered_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "highest_registered_domain_frequency_score":{ + "type":"long" + }, + "history":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hop_limit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host":{ + "type":"object", + "dynamic": true + }, + "host_key":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host_key_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "iin":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "image_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "in_reply_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "indicator":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "indicator_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "info_code":{ + "type":"long" + }, + "info_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "initiated":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "integrity_level":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "interface":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ip_version":{ + "type":"long" + }, + "ipv4_ecn":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_flags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_offset":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol_length":{ + "type":"long" + }, + "ipv4_tos":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_ttl":{ + "type":"long" + }, + "irc_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "irc_username":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_64bit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_exe":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_orig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_source_ipv6":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_webmail":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_common_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_common_name_frequency_score":{ + "type":"long" + }, + "issuer_common_name_length":{ + "type":"long" + }, + "issuer_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_distinguished_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_locality":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_organization":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_organization_frequency_score":{ + "type":"long" + }, + "issuer_organization_unit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_serial_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ja3":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ja3s":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "kerberos_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "kex_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "keyboard_layout":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "last_alert":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "last_reply":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "launch_string":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "lease_time":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "length":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "local_orig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "local_respond":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "location":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "log_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "log_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logged":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logon_guid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logon_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logstash_time":{ + "type":"long" + }, + "mac":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mac_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "machine":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mail_date":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mail_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "matched":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "md5":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mimetype":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "missed_bytes":{ + "type":"long" + }, + "missing_bytes":{ + "type":"long" + }, + "msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_argument":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "n":{ + "type":"long" + }, + "name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "named_pipe":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "native_file_system":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "next_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "nick":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "note":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "notice":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ntlm_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "num_packets":{ + "type":"long" + }, + "object_size":{ + "type":"long" + }, + "operation":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "options":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_filenames":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_mime_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "original_bytes":{ + "type":"long" + }, + "original_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "original_ip_bytes":{ + "type":"long" + }, + "original_packets":{ + "type":"long" + }, + "os":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ossec_agent_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ossec_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "overflow_bytes":{ + "type":"long" + }, + "p":{ + "type":"long" + }, + "parent_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_domain_frequency_score":{ + "type":"long" + }, + "parent_domain_length":{ + "type":"long" + }, + "parent_image_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_guid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "password":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "peer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "peer_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pesha1":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pesha256":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pid":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "port":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "prev_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "priority":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_arguments":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_guid":{ + "type":"long" + }, + "process_id":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "profile":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "program":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "proxied":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query_class":{ + "type":"long" + }, + "query_class_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query_length":{ + "type":"long" + }, + "query_type":{ + "type":"long" + }, + "query_type_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ra":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rcode":{ + "type":"long" + }, + "rcode_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rd":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reason":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "recipient_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "referrer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rejected":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "remote_ip":{ + "type":"ip" + }, + "remote_location":{ + "type":"object", + "properties":{ + "country_code": { + "type": "text" + } + } + }, + "renewable":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_body_len":{ + "type":"long" + }, + "request_body_length":{ + "type":"long" + }, + "request_from":{ + "type":"text" + }, + "request_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_port":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_color_depth":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_resource":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_filenames":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_mime_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "respond_bytes":{ + "type":"long" + }, + "respond_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "respond_ip_bytes":{ + "type":"long" + }, + "respond_packets":{ + "type":"long" + }, + "response":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_body_len":{ + "type":"long" + }, + "response_body_length":{ + "type":"long" + }, + "response_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "result":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resumed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rev":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rows":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rtt":{ + "type":"float", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule_number":{ + "type":"long" + }, + "rule_signature":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "san_dns":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "second_received":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "section_names":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "security_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seen_bytes":{ + "type":"long" + }, + "seen_node":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seen_where":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sensor_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seq":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sequence_number":{ + "type":"long" + }, + "server":{ + "type":"object", + "dynamic": true + } + }, + "server_certificate_fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_dns_computer_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_major_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_minor_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_name_frequency_score":{ + "type":"long" + }, + "server_name_length":{ + "type":"long" + }, + "server_nb_computer_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_tree_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "service":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "set_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "severity":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sha1":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sha256":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "share_flag":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "share_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sid":{ + "type":"long" + }, + "signer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "site":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "size":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "software_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source":{ + "type":"object", + "dynamic": true + }, + "source_geo.city_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.continent_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.dma_code":{ + "type":"long" + }, + "source_geo.ip":{ + "type":"ip" + }, + "source_geo.latitude":{ + "type":"long" + }, + "source_geo.location":{ + "type":"geo_point" + }, + "source_geo.longitude":{ + "type":"long" + }, + "source_geo.postal_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.region_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.region_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.timezone":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_ip":{ + "type":"ip" + }, + "source_ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_port":{ + "type":"long" + }, + "source_port_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sources":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_host_key_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status_code":{ + "type":"long" + }, + "status_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status_msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sub_msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sub_rule_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subdomain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subdomain_frequency_score":{ + "type":"long" + }, + "subdomain_length":{ + "type":"long" + }, + "subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subsystem":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "suppress_for":{ + "type":"long" + }, + "syslog-facility":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-host_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-legacy_msghdr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-pid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-priority":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-sourceip":{ + "type":"ip" + }, + "syslog-tags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sysmon_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "target_filename":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tc":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tcp_flags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "terminal_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "valid_till":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + + "timed_out":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_accessed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_changed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_created":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_modified":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tld.subdomain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tls":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "top_level_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "total_bytes":{ + "type":"long" + }, + "tracker_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "trans_depth":{ + "type":"long" + }, + "transaction_id":{ + "type":"long" + }, + "ttls":{ + "type":"text" + }, + "tty":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tunnel_parents":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tunnel_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "unparsed_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "up_since":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "urg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uri":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uri_length":{ + "type":"long" + }, + "username":{ + "type":"text", + "fields": { + "keyword":{ + "type":"keyword" + } + } + }, + "user_agent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "useragent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "useragent_length":{ + "type":"long" + }, + "uses_aslr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_code_integrity":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_dep":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_seh":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "validation_status":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "value":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_additional_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_major":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor2":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor3":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "virtual_host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "virtual_host_frequency_score":{ + "type":"long" + }, + "virtual_host_length":{ + "type":"long" + }, + "warning":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "width":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "window":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "x_originating_ip":{ + "type":"ip" + }, + "year":{ + "type":"long" + }, + "z":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + } + } + } + } +} diff --git a/salt/logstash/pipelines/templates/so/so-zeek-template.json b/salt/logstash/pipelines/templates/so/so-zeek-template.json new file mode 100644 index 000000000..a1d1c410b --- /dev/null +++ b/salt/logstash/pipelines/templates/so/so-zeek-template.json @@ -0,0 +1,3599 @@ +{ + "index_patterns": ["so-zeek-*"], + "version":50001, + "order" : 0, + "settings":{ + "number_of_replicas":0, + "number_of_shards":1, + "index.refresh_interval":"30s" + }, + "mappings":{ + "doc":{ + "dynamic": false, + "date_detection": false, + "properties":{ + "@timestamp":{ + "type":"date" + }, + "@version":{ + "type":"keyword" + }, + "geoip":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "destination_geo":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "source_geo":{ + "dynamic":true, + "properties":{ + "ip":{ + "type":"ip" + }, + "location":{ + "type":"geo_point" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + } + } + }, + "signature_info":{ + "type":"keyword" + }, + "aa":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ack":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "action":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "additional_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "age":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "alert":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "alert_level":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "analyzer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "answers":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "assigned_ip":{ + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "auth":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "authentication_attempts":{ + "type":"long" + }, + "authentication_method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "authentication_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "basic_constraints":{ + "type":"object", + "properties":{ + "path_len": { + "type": "text" + } + } + }, + "basic_constraints_ca":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "basic_constraints_path_length":{ + "type":"long" + }, + "bound_port":{ + "type":"long" + }, + "call_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "category":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cc":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_chain_count":{ + "type":"long" + }, + "certificate_chain_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_common_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_common_name_frequency_score":{ + "type":"long" + }, + "certificate_common_name_length":{ + "type":"long" + }, + "certificate_count":{ + "type":"long" + }, + "certificate_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_curve":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_exponent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_issuer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_key_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_key_length":{ + "type":"long" + }, + "certificate_key_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_locality":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_not_valid_after":{ + "type":"date" + }, + "certificate_not_valid_before":{ + "type":"date" + }, + "certificate_number_days_valid":{ + "type":"long" + }, + "certificate_organization":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_organization_unit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_permanent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_serial":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_serial_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_signing_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "certificate_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "checksum":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cipher":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cipher_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "class":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "classification":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client":{ + "type":"object", + "dynamic": true + }, + "client_build":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_chain_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_certificate_fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_digital_product_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_fqdn":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_issuer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_major_version":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_minor_version":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "client_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "community":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "company":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "compile_ts":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "compression_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connect_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connection_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "connection_state_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "content_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "cookie":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "creation_date":{ + "type":"date" + }, + "creation_time":{ + "type":"date" + }, + "client_host_key_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "current_directory":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "curve":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "data_channel_destination_ip":{ + "type":"ip" + }, + "data_channel_destination_port":{ + "type":"long" + }, + "data_channel_passive":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "data_channel_source_ip":{ + "type":"ip" + }, + "data_length":{ + "type":"long" + }, + "date":{ + "type":"text" + }, + "dcc_file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dcc_file_size":{ + "type":"long" + }, + "dcc_mime_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "depth":{ + "type":"long" + }, + "description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "desktop_height":{ + "type":"long" + }, + "desktop_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "desktop_width":{ + "type":"long" + }, + "dest_is_ipv6":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination":{ + "type":"object", + "dynamic": true + }, + "destination_city":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.city_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.continent_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.dma_code":{ + "type":"long" + }, + "destination_geo.ip":{ + "type":"ip" + }, + "destination_geo.latitude":{ + "type":"long" + }, + "destination_geo.location":{ + "type":"geo_point" + }, + "destination_geo.longitude":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.postal_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.region_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.country_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.region_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_geo.timezone":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_ip":{ + "type":"ip" + }, + "destination_ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_latitude":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_longitude":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_port":{ + "type":"long" + }, + "destination_port_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "destination_region":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "details":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dir":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "direction":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "display_string":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "domain_age":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "domain_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "dropped":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "duration":{ + "type":"long" + }, + "valid_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "enabled":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "encryption_level":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "encryption_method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "endpoint":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "entry":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "entry_location":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "error_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "escalated_user":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "established":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "event_id":{ + "type":"long" + }, + "event_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "event_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "exception":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "extracted":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "extracted_cutoff":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "facility":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fc_reply":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fc_request":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_ip":{ + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_mime_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "file_size":{ + "type":"long" + }, + "first_received":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "flow_label":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "forwardable":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "framed_addr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "freq_virtual_host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "frequency_scores":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ftp_argument":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ftp_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "function":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "geoip.ip":{ + "type":"ip" + }, + "geoip.latitude":{ + "type":"long" + }, + "geoip.location":{ + "type":"geo_point" + }, + "geoip.longitude":{ + "type":"long" + }, + "get_bulk_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "get_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "get_responses":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "gid":{ + "type":"long" + }, + "has_cert_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_debug_data":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_export_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "has_import_table":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_server":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_server_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hassh_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "height":{ + "type":"long" + }, + "helo":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "highest_registered_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "highest_registered_domain_frequency_score":{ + "type":"long" + }, + "history":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hop_limit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host":{ + "type":"object", + "dynamic": true + }, + "host_key":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "host_key_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "iin":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "image_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "in_reply_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "indicator":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "indicator_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "info_code":{ + "type":"long" + }, + "info_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "initiated":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "integrity_level":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "interface":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ip_version":{ + "type":"long" + }, + "ipv4_ecn":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_flags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_offset":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_protocol_length":{ + "type":"long" + }, + "ipv4_tos":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ipv4_ttl":{ + "type":"long" + }, + "irc_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "irc_username":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_64bit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_exe":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_orig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_source_ipv6":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "is_webmail":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_common_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_common_name_frequency_score":{ + "type":"long" + }, + "issuer_common_name_length":{ + "type":"long" + }, + "issuer_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_distinguished_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_locality":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_organization":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_organization_frequency_score":{ + "type":"long" + }, + "issuer_organization_unit":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_serial_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "issuer_state":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ja3":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ja3s":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "kerberos_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "kex_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "keyboard_layout":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "last_alert":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "last_reply":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "launch_string":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "lease_time":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "length":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "local_orig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "local_respond":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "location":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "log_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "log_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logged":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logon_guid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logon_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "logstash_time":{ + "type":"long" + }, + "mac":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mac_algorithm":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "machine":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mail_date":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mail_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "matched":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "md5":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "message_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "method":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mimetype":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "missed_bytes":{ + "type":"long" + }, + "missing_bytes":{ + "type":"long" + }, + "msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_argument":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_command":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "mysql_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "n":{ + "type":"long" + }, + "name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "named_pipe":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "native_file_system":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "next_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "nick":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "note":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "notice":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ntlm_success":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "num_packets":{ + "type":"long" + }, + "object_size":{ + "type":"long" + }, + "operation":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "options":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_filenames":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "orig_mime_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "original_bytes":{ + "type":"long" + }, + "original_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "original_ip_bytes":{ + "type":"long" + }, + "original_packets":{ + "type":"long" + }, + "os":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ossec_agent_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ossec_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "overflow_bytes":{ + "type":"long" + }, + "p":{ + "type":"long" + }, + "parent_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_domain_frequency_score":{ + "type":"long" + }, + "parent_domain_length":{ + "type":"long" + }, + "parent_image_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_guid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "parent_process_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "password":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "peer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "peer_description":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pesha1":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pesha256":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "pid":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "port":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "prev_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "priority":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_arguments":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_guid":{ + "type":"long" + }, + "process_id":{ + "type":"long", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "process_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "profile":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "program":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "protocol_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "proxied":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query_class":{ + "type":"long" + }, + "query_class_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "query_length":{ + "type":"long" + }, + "query_type":{ + "type":"long" + }, + "query_type_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "ra":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rcode":{ + "type":"long" + }, + "rcode_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rd":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reason":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "recipient_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "referrer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rejected":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "remote_ip":{ + "type":"ip" + }, + "remote_location":{ + "type":"object", + "properties":{ + "country_code": { + "type": "text" + } + } + }, + "renewable":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "reply_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_body_len":{ + "type":"long" + }, + "request_body_length":{ + "type":"long" + }, + "request_from":{ + "type":"text" + }, + "request_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_port":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "request_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_color_depth":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_resource":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "requested_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_filenames":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_fuids":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resp_mime_types":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "respond_bytes":{ + "type":"long" + }, + "respond_country_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "respond_ip_bytes":{ + "type":"long" + }, + "respond_packets":{ + "type":"long" + }, + "response":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_body_len":{ + "type":"long" + }, + "response_body_length":{ + "type":"long" + }, + "response_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_path":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "response_to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "result":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "resumed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rev":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rig":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rows":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rtt":{ + "type":"float", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule_number":{ + "type":"long" + }, + "rule_signature":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "rule_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "san_dns":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "second_received":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "section_names":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "security_protocol":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seen_bytes":{ + "type":"long" + }, + "seen_node":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seen_where":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sensor_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "seq":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sequence_number":{ + "type":"long" + }, + "server":{ + "type":"object", + "dynamic": "true + }, + "server_certificate_fuid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_certificate_subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_dns_computer_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_ip": { + "type":"ip", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_major_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_minor_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_name_frequency_score":{ + "type":"long" + }, + "server_name_length":{ + "type":"long" + }, + "server_nb_computer_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_tree_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "service":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "set_requests":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "severity":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sha1":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sha256":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "share_flag":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "share_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sid":{ + "type":"long" + }, + "signer":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "site":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "size":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "software_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source":{ + "type":"object", + "dynamic": true + }, + "source_geo.city_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.continent_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.dma_code":{ + "type":"long" + }, + "source_geo.ip":{ + "type":"ip" + }, + "source_geo.latitude":{ + "type":"long" + }, + "source_geo.location":{ + "type":"geo_point" + }, + "source_geo.longitude":{ + "type":"long" + }, + "source_geo.postal_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.region_code":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.region_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_geo.timezone":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_hostname":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_ip":{ + "type":"ip" + }, + "source_ips":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "source_port":{ + "type":"long" + }, + "source_port_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sources":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "server_host_key_algorithms":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status_code":{ + "type":"long" + }, + "status_message":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "status_msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sub_msg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sub_rule_number":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subdomain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subdomain_frequency_score":{ + "type":"long" + }, + "subdomain_length":{ + "type":"long" + }, + "subject":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "subsystem":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "suppress_for":{ + "type":"long" + }, + "syslog-facility":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-file_name":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-host_from":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-legacy_msghdr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-pid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-priority":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "syslog-sourceip":{ + "type":"ip" + }, + "syslog-tags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "sysmon_timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "target_filename":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tc":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tcp_flags":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "terminal_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "valid_till":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + + "timed_out":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_accessed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_changed":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_created":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "times_modified":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "timestamp":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tld.subdomain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tls":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "to":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "top_level_domain":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "total_bytes":{ + "type":"long" + }, + "tracker_id":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "trans_depth":{ + "type":"long" + }, + "transaction_id":{ + "type":"long" + }, + "ttls":{ + "type":"text" + }, + "tty":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tunnel_parents":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "tunnel_type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "type":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uid":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "unparsed_version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "up_since":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "urg":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uri":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uri_length":{ + "type":"long" + }, + "username":{ + "type":"text", + "fields": { + "keyword":{ + "type":"keyword" + } + } + }, + "user_agent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "useragent":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "useragent_length":{ + "type":"long" + }, + "uses_aslr":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_code_integrity":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_dep":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "uses_seh":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "validation_status":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "value":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_additional_info":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_major":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor2":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "version_minor3":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "virtual_host":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "virtual_host_frequency_score":{ + "type":"long" + }, + "virtual_host_length":{ + "type":"long" + }, + "warning":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "width":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "window":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + }, + "x_originating_ip":{ + "type":"ip" + }, + "year":{ + "type":"long" + }, + "z":{ + "type":"text", + "fields":{ + "keyword":{ + "type":"keyword" + } + } + } + } + } + } +} From f9e4d218ec197186cd1fddac997422cf6eb243d9 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 11 Mar 2020 12:13:11 +0000 Subject: [PATCH 3/5] update config --- .../pipelines/config/so/0800_input_eval.conf | 144 +++++++++--------- .../so/8999_postprocess_rename_type.conf | 1 + .../config/so/9000_output_bro.conf.jinja | 10 +- .../config/so/9001_output_switch.conf.jinja | 4 +- .../config/so/9002_output_import.conf.jinja | 4 +- .../config/so/9004_output_flow.conf.jinja | 4 +- .../config/so/9026_output_dhcp.conf.jinja | 2 +- .../config/so/9029_output_esxi.conf.jinja | 2 +- .../config/so/9030_output_greensql.conf.jinja | 2 +- .../config/so/9031_output_iis.conf.jinja | 2 +- .../config/so/9032_output_mcafee.conf.jinja | 2 +- .../config/so/9033_output_snort.conf.jinja | 4 +- .../config/so/9034_output_syslog.conf.jinja | 4 +- .../config/so/9100_output_osquery.conf.jinja | 4 +- .../config/so/9200_output_firewall.conf.jinja | 4 +- .../config/so/9300_output_windows.conf.jinja | 4 +- .../so/9301_output_dns_windows.conf.jinja | 4 +- .../config/so/9400_output_suricata.conf.jinja | 4 +- .../config/so/9500_output_beats.conf.jinja | 6 +- .../config/so/9600_output_ossec.conf.jinja | 7 +- .../config/so/9700_output_strelka.conf.jinja | 6 +- 21 files changed, 113 insertions(+), 111 deletions(-) diff --git a/salt/logstash/pipelines/config/so/0800_input_eval.conf b/salt/logstash/pipelines/config/so/0800_input_eval.conf index b499c3b0f..35a977d04 100644 --- a/salt/logstash/pipelines/config/so/0800_input_eval.conf +++ b/salt/logstash/pipelines/config/so/0800_input_eval.conf @@ -9,182 +9,182 @@ input { } file { path => "/nsm/zeek/logs/current/conn*.log" - type => "bro_conn" - tags => ["bro"] + type => "zeek.conn" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dce_rpc*.log" - type => "bro_dce_rpc" - tags => ["bro"] + type => "zeek.dce_rpc" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dhcp*.log" - type => "bro_dhcp" - tags => ["bro"] + type => "zeek.dhcp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dnp3*.log" - type => "bro_dnp3" - tags => ["bro"] + type => "zeek.dnp3" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dns*.log" - type => "bro_dns" - tags => ["bro"] + type => "zeek.dns" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/dpd*.log" - type => "bro_dpd" - tags => ["bro"] + type => "zeek.dpd" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/files*.log" - type => "bro_files" - tags => ["bro"] + type => "zeek.files" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ftp*.log" - type => "bro_ftp" - tags => ["bro"] + type => "zeek.ftp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/http*.log" - type => "bro_http" - tags => ["bro"] + type => "zeek.http" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/intel*.log" - type => "bro_intel" - tags => ["bro"] + type => "zeek.intel" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/irc*.log" - type => "bro_irc" - tags => ["bro"] + type => "zeek.irc" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/kerberos*.log" - type => "bro_kerberos" - tags => ["bro"] + type => "zeek.kerberos" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/modbus*.log" - type => "bro_modbus" - tags => ["bro"] + type => "zeek.modbus" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/mysql*.log" - type => "bro_mysql" - tags => ["bro"] + type => "zeek.mysql" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/notice*.log" - type => "bro_notice" - tags => ["bro"] + type => "zeek.notice" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ntlm*.log" - type => "bro_ntlm" - tags => ["bro"] + type => "zeek.ntlm" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/pe*.log" - type => "bro_pe" - tags => ["bro"] + type => "zeek.pe" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/radius*.log" - type => "bro_radius" - tags => ["bro"] + type => "zeek.radius" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/rdp*.log" - type => "bro_rdp" - tags => ["bro"] + type => "zeek.rdp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/rfb*.log" - type => "bro_rfb" - tags => ["bro"] + type => "zeek.rfb" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/signatures*.log" - type => "bro_signatures" - tags => ["bro"] + type => "zeek.signatures" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/sip*.log" - type => "bro_sip" - tags => ["bro"] + type => "zeek.sip" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smb_files*.log" - type => "bro_smb_files" - tags => ["bro"] + type => "zeek.smb_files" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smb_mapping*.log" - type => "bro_smb_mapping" - tags => ["bro"] + type => "zeek.smb_mapping" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/smtp*.log" - type => "bro_smtp" - tags => ["bro"] + type => "zeek.smtp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/snmp*.log" - type => "bro_snmp" - tags => ["bro"] + type => "zeek.snmp" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/socks*.log" - type => "bro_socks" - tags => ["bro"] + type => "zeek.socks" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/software*.log" - type => "bro_software" - tags => ["bro"] + type => "zeek.software" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ssh*.log" - type => "bro_ssh" - tags => ["bro"] + type => "zeek.ssh" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/ssl*.log" - type => "bro_ssl" - tags => ["bro"] + type => "zeek.ssl" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/syslog*.log" - type => "bro_syslog" - tags => ["bro"] + type => "zeek.syslog" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/tunnel*.log" - type => "bro_tunnels" - tags => ["bro"] + type => "zeek.tunnels" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/weird*.log" - type => "bro_weird" - tags => ["bro"] + type => "zeek.weird" + tags => ["zeek"] } file { path => "/nsm/zeek/logs/current/x509*.log" - type => "bro_x509" - tags => ["bro"] + type => "zeek.x509" + tags => ["zeek"] } file { path => "/wazuh/alerts/alerts.json" type => "ossec" } - file { - path => "/wazuh/archives/archives.json" - type => "ossec_archive" - } +# file { +# path => "/wazuh/archives/archives.json" +# type => "ossec_archive" +# } file { path => "/osquery/logs/result.log" type => "osquery" diff --git a/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf b/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf index 383fd9827..c7a37e15c 100644 --- a/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf +++ b/salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf @@ -4,5 +4,6 @@ filter { mutate { rename => [ "type", "event_type" ] + remove_field => [ "host" ] } } diff --git a/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja index acc31ae00..9ce08edf8 100644 --- a/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja @@ -10,21 +10,21 @@ filter { - if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] { + if "zeek" in [tags] and "test_data" not in [tags] and "import" not in [tags] { mutate { ##add_tag => [ "conf_file_9000"] } } } output { - if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] { + if "zeek" in [tags] and "test_data" not in [tags] and "import" not in [tags] { # stdout { codec => rubydebug } elasticsearch { pipeline => "%{event_type}" hosts => "{{ ES }}" - index => "logstash-bro-%{+YYYY.MM.dd}" - template_name => "logstash-bro" - template => "/logstash-bro-template.json" + index => "so-zeek-%{+YYYY.MM.dd}" + template_name => "so-zeek" + template => "/so-zeek-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja index 949a738ab..0fc30c4b0 100644 --- a/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja +++ b/salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-switch-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-switch-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 1b691df6b..2b7db9370 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -18,9 +18,9 @@ output { # stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-import-%{+YYYY.MM.dd}" + index => "so-import-%{+YYYY.MM.dd}" template_name => "logstash" - template => "/logstash-template.json" + template => "/so-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 3dbd34f16..2fd427129 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-flow-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-flow-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja index a63ac5f98..f7f3d8060 100644 --- a/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja +++ b/salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja @@ -20,7 +20,7 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja index 229de6b9c..7de501bf8 100644 --- a/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja +++ b/salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja @@ -19,7 +19,7 @@ output { if [event_type] == "esxi" and "test_data" not in [tags] { elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja index a6d16b95d..544e62856 100644 --- a/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja +++ b/salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja @@ -19,7 +19,7 @@ output { if [event_type] == "greensql" and "test_data" not in [tags] { elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja index 6650d8a7d..7de10b974 100644 --- a/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja @@ -20,7 +20,7 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja index ca982967d..bb3ec0714 100644 --- a/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja +++ b/salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja @@ -20,7 +20,7 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - template => "/logstash-template.json" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 6c310b91e..dc9c5f7e1 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -20,9 +20,9 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-ids-%{+YYYY.MM.dd}" + index => "so-ids-%{+YYYY.MM.dd}" template_name => "logstash" - template => "/logstash-template.json" + template => "/so-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 56a6527b8..33b841c08 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -19,9 +19,9 @@ output { if "syslog" in [tags] and "test_data" not in [tags] { elasticsearch { hosts => "{{ ES }}" - index => "logstash-syslog-%{+YYYY.MM.dd}" + index => "so-syslog-%{+YYYY.MM.dd}" template_name => "logstash" - template => "/logstash-template.json" + template => "/so-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index e95119562..63fd3c25b 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -12,8 +12,8 @@ output { if "osquery" in [tags] { elasticsearch { hosts => "{{ ES }}" - index => "logstash-osquery-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-osquery-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index b2ad43963..17e774976 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -20,9 +20,9 @@ output { # stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-firewall-%{+YYYY.MM.dd}" + index => "so-firewall-%{+YYYY.MM.dd}" template_name => "logstash" - template => "/logstash-template.json" + template => "/so-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja index d3f9d1919..9779d01a5 100644 --- a/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja +++ b/salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-windows-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-windows-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja index 8a56b7044..dc6bbbda4 100644 --- a/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja +++ b/salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 4bffd7f0a..a85fba758 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -20,8 +20,8 @@ output { #stdout { codec => rubydebug } elasticsearch { hosts => "{{ ES }}" - index => "logstash-ids-%{+YYYY.MM.dd}" - template => "/logstash-template.json" + index => "so-ids-%{+YYYY.MM.dd}" + template => "/so-template.json" } } } diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 30900cb93..dcfefa852 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -16,9 +16,9 @@ output { if "beat" in [tags] { elasticsearch { hosts => "{{ ES }}" - index => "logstash-beats-%{+YYYY.MM.dd}" - template_name => "logstash-beats" - template => "/beats-template.json" + index => "so-beats-%{+YYYY.MM.dd}" + template_name => "so-beats" + template => "/so-beats-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 71d0c28aa..28391b29a 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -19,10 +19,11 @@ filter { output { if [event_type] =~ "ossec" or "ossec" in [tags] { elasticsearch { + pipeline => "%{event_type}" hosts => "{{ ES }}" - index => "logstash-ossec-%{+YYYY.MM.dd}" - template_name => "logstash-ossec" - template => "/logstash-ossec-template.json" + index => "so-ossec-%{+YYYY.MM.dd}" + template_name => "so-ossec" + template => "/so-ossec-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index c562cedc7..48ed75f72 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -20,9 +20,9 @@ output { if [event_type] =~ "strelka" { elasticsearch { hosts => "{{ ES }}" - index => "logstash-strelka-%{+YYYY.MM.dd}" - template_name => "logstash-strelka" - template => "/logstash-strelka-template.json" + index => "so-strelka-%{+YYYY.MM.dd}" + template_name => "so-strelka" + template => "/so-strelka-template.json" template_overwrite => true } } From 9ad16e8c71da385c523d8ac2f6d9e2d37cec9f68 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 11 Mar 2020 12:13:53 +0000 Subject: [PATCH 4/5] upadte ingest config --- salt/elasticsearch/files/ingest/common | 4 +- salt/elasticsearch/files/ingest/ossec | 67 +++++++++---------- salt/elasticsearch/files/ingest/zeek.common | 24 +++++++ .../files/ingest/zeek.common_ssl | 58 ++++++++++++++++ salt/elasticsearch/files/ingest/zeek.conn | 40 +++++++++++ salt/elasticsearch/files/ingest/zeek.dce_rpc | 12 ++++ salt/elasticsearch/files/ingest/zeek.dhcp | 21 ++++++ salt/elasticsearch/files/ingest/zeek.dnp3 | 11 +++ salt/elasticsearch/files/ingest/zeek.dns | 28 ++++++++ salt/elasticsearch/files/ingest/zeek.dpd | 20 ++++++ salt/elasticsearch/files/ingest/zeek.files | 34 ++++++++++ salt/elasticsearch/files/ingest/zeek.ftp | 25 +++++++ salt/elasticsearch/files/ingest/zeek.http | 34 ++++++++++ salt/elasticsearch/files/ingest/zeek.intel | 20 ++++++ salt/elasticsearch/files/ingest/zeek.irc | 17 +++++ salt/elasticsearch/files/ingest/zeek.kerberos | 22 ++++++ salt/elasticsearch/files/ingest/zeek.modbus | 10 +++ salt/elasticsearch/files/ingest/zeek.mysql | 13 ++++ salt/elasticsearch/files/ingest/zeek.notice | 26 +++++++ salt/elasticsearch/files/ingest/zeek.ntlm | 16 +++++ salt/elasticsearch/files/ingest/zeek.pe | 24 +++++++ salt/elasticsearch/files/ingest/zeek.radius | 16 +++++ salt/elasticsearch/files/ingest/zeek.rdp | 23 +++++++ salt/elasticsearch/files/ingest/zeek.rfb | 18 +++++ .../files/ingest/zeek.signatures | 14 ++++ salt/elasticsearch/files/ingest/zeek.sip | 29 ++++++++ .../elasticsearch/files/ingest/zeek.smb_files | 23 +++++++ .../files/ingest/zeek.smb_mapping | 12 ++++ salt/elasticsearch/files/ingest/zeek.smtp | 30 +++++++++ salt/elasticsearch/files/ingest/zeek.snmp | 17 +++++ salt/elasticsearch/files/ingest/zeek.socks | 20 ++++++ salt/elasticsearch/files/ingest/zeek.software | 23 +++++++ salt/elasticsearch/files/ingest/zeek.ssh | 32 +++++++++ salt/elasticsearch/files/ingest/zeek.ssl | 25 +++++++ salt/elasticsearch/files/ingest/zeek.syslog | 13 ++++ salt/elasticsearch/files/ingest/zeek.tunnel | 8 +++ salt/elasticsearch/files/ingest/zeek.tunnels | 19 ++++++ salt/elasticsearch/files/ingest/zeek.weird | 12 ++++ salt/elasticsearch/files/ingest/zeek.x509 | 45 +++++++++++++ 39 files changed, 869 insertions(+), 36 deletions(-) create mode 100644 salt/elasticsearch/files/ingest/zeek.common create mode 100644 salt/elasticsearch/files/ingest/zeek.common_ssl create mode 100644 salt/elasticsearch/files/ingest/zeek.conn create mode 100644 salt/elasticsearch/files/ingest/zeek.dce_rpc create mode 100644 salt/elasticsearch/files/ingest/zeek.dhcp create mode 100644 salt/elasticsearch/files/ingest/zeek.dnp3 create mode 100644 salt/elasticsearch/files/ingest/zeek.dns create mode 100644 salt/elasticsearch/files/ingest/zeek.dpd create mode 100644 salt/elasticsearch/files/ingest/zeek.files create mode 100644 salt/elasticsearch/files/ingest/zeek.ftp create mode 100644 salt/elasticsearch/files/ingest/zeek.http create mode 100644 salt/elasticsearch/files/ingest/zeek.intel create mode 100644 salt/elasticsearch/files/ingest/zeek.irc create mode 100644 salt/elasticsearch/files/ingest/zeek.kerberos create mode 100644 salt/elasticsearch/files/ingest/zeek.modbus create mode 100644 salt/elasticsearch/files/ingest/zeek.mysql create mode 100644 salt/elasticsearch/files/ingest/zeek.notice create mode 100644 salt/elasticsearch/files/ingest/zeek.ntlm create mode 100644 salt/elasticsearch/files/ingest/zeek.pe create mode 100644 salt/elasticsearch/files/ingest/zeek.radius create mode 100644 salt/elasticsearch/files/ingest/zeek.rdp create mode 100644 salt/elasticsearch/files/ingest/zeek.rfb create mode 100644 salt/elasticsearch/files/ingest/zeek.signatures create mode 100644 salt/elasticsearch/files/ingest/zeek.sip create mode 100644 salt/elasticsearch/files/ingest/zeek.smb_files create mode 100644 salt/elasticsearch/files/ingest/zeek.smb_mapping create mode 100644 salt/elasticsearch/files/ingest/zeek.smtp create mode 100644 salt/elasticsearch/files/ingest/zeek.snmp create mode 100644 salt/elasticsearch/files/ingest/zeek.socks create mode 100644 salt/elasticsearch/files/ingest/zeek.software create mode 100644 salt/elasticsearch/files/ingest/zeek.ssh create mode 100644 salt/elasticsearch/files/ingest/zeek.ssl create mode 100644 salt/elasticsearch/files/ingest/zeek.syslog create mode 100644 salt/elasticsearch/files/ingest/zeek.tunnel create mode 100644 salt/elasticsearch/files/ingest/zeek.tunnels create mode 100644 salt/elasticsearch/files/ingest/zeek.weird create mode 100644 salt/elasticsearch/files/ingest/zeek.x509 diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index 6463757ca..2d1dde973 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -44,8 +44,8 @@ }, { "remove": { - "field": "index_name_prefix", - "ignore_failure": true + "field": [ "index_name_prefix"], + "ignore_failure": false } } ] diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec index 2b6d19370..ca20b9856 100644 --- a/salt/elasticsearch/files/ingest/ossec +++ b/salt/elasticsearch/files/ingest/ossec @@ -6,48 +6,47 @@ { "rename": { "field": "message2.data", "target_field": "data", "ignore_missing": true } }, { "rename": { "field": "message2.decoder", "target_field": "decoder", "ignore_missing": true } }, { "rename": { "field": "message2.full_log", "target_field": "full_log", "ignore_missing": true } }, - { "rename": { "field": "message2.id", "target_field": "id", "ignore_missing": true } }, + { "rename": { "field": "message2.id", "target_field": "log.id.id", "ignore_missing": true } }, { "rename": { "field": "message2.location", "target_field": "location", "ignore_missing": true } }, { "rename": { "field": "message2.manager", "target_field": "manager", "ignore_missing": true } }, { "rename": { "field": "message2.predecoder", "target_field": "predecoder", "ignore_missing": true } }, { "rename": { "field": "message2.timestamp", "target_field": "timestamp", "ignore_missing": true } }, - { "rename": { "field": "message2.rule", "target_field": "wazuh-rule", "ignore_missing": true } }, + { "rename": { "field": "message2.rule", "target_field": "rule", "ignore_missing": true } }, { "rename": { "field": "data.command", "target_field": "command", "ignore_missing": true } }, - { "rename": { "field": "data.dstip", "target_field": "destination_ip", "ignore_missing": true } }, - { "rename": { "field": "data.dstport", "target_field": "destination_port", "ignore_missing": true } }, - { "rename": { "field": "data.dstuser", "target_field": "escalated_user", "ignore_missing": true } }, - { "rename": { "field": "data.srcip", "target_field": "source_ip", "ignore_missing": true } }, - { "rename": { "field": "data.srcuser", "target_field": "username", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.destinationHostname", "target_field": "destination_hostname", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.destinationIp", "target_field": "destination_ip", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.destinationPort", "target_field": "destination_port", "ignore_missing": true } }, + { "rename": { "field": "data.dstip", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "data.dstport", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "data.dstuser", "target_field": "user.escalated", "ignore_missing": true } }, + { "rename": { "field": "data.srcip", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "data.srcuser", "target_field": "source.user", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.destinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.destinationIp", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.destinationPort", "target_field": "destination.port", "ignore_missing": true } }, { "rename": { "field": "data.win.eventdata.image", "target_field": "image_path", "ignore_missing": true } }, { "rename": { "field": "data.win.eventdata.parentImage", "target_field": "parent_image_path", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.sourceHostname", "target_field": "source_hostname", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.sourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, { "rename": { "field": "data.win.eventdata.sourceIp", "target_field": "source_ip", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.sourcePort", "target_field": "source_port", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "target_filename", "ignore_missing": true } }, - { "rename": { "field": "data.win.eventdata.user", "target_field": "username", "ignore_missing": true } }, - { "rename": { "field": "data.win.system.eventID", "target_field": "event_id", "ignore_missing": true } }, - { "rename": { "field": "predecoder.program_name", "target_field": "process", "ignore_missing": true } }, - { "rename": { "field": "wazuh-rule.level", "target_field": "alert_level", "ignore_missing": true } }, - { "rename": { "field": "wazuh-rule.description", "target_field": "description", "ignore_missing": true } }, - { "set": { "if": "ctx.alert_level == 1", "field": "classification", "value": "None" } }, - { "set": { "if": "ctx.alert_level == 2", "field": "classification", "value": "System low priority notification" } }, - { "set": { "if": "ctx.alert_level == 3", "field": "classification", "value": "Successful/authorized event" } }, - { "set": { "if": "ctx.alert_level == 4", "field": "classification", "value": "System low priority error" } }, - { "set": { "if": "ctx.alert_level == 5", "field": "classification", "value": "User generated error" } }, - { "set": { "if": "ctx.alert_level == 6", "field": "classification", "value": "Low relevance attack" } }, - { "set": { "if": "ctx.alert_level == 7", "field": "classification", "value": "\"Bad word\" matching" } }, - { "set": { "if": "ctx.alert_level == 8", "field": "classification", "value": "First time seen" } }, - { "set": { "if": "ctx.alert_level == 9", "field": "classification", "value": "Error from invalid source" } }, - { "set": { "if": "ctx.alert_level == 10", "field": "classification", "value": "Multiple user generated errors" } }, - { "set": { "if": "ctx.alert_level == 11", "field": "classification", "value": "Integrity checking warning" } }, - { "set": { "if": "ctx.alert_level == 12", "field": "classification", "value": "High importance event" } }, - { "set": { "if": "ctx.alert_level == 13", "field": "classification", "value": "Unusal error (high importance)" } }, - { "set": { "if": "ctx.alert_level == 14", "field": "classification", "value": "High importance security event" } }, - { "set": { "if": "ctx.alert_level == 15", "field": "classification", "value": "Severe attack" } }, - { "append": { "if": "ctx.alert_level != null", "field": "tags", "value": ["alert"] } }, + { "rename": { "field": "data.win.eventdata.sourcePort", "target_field": "source.port", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "file.target", "ignore_missing": true } }, + { "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } }, + { "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } }, + { "set": { "if": "ctx.rule.level == 1", "field": "category", "value": "None" } }, + { "set": { "if": "ctx.rule.level == 2", "field": "category", "value": "System low priority notification" } }, + { "set": { "if": "ctx.rule.level == 3", "field": "category", "value": "Successful/authorized event" } }, + { "set": { "if": "ctx.rule.level == 4", "field": "rule.category", "value": "System low priority error" } }, + { "set": { "if": "ctx.rule.level == 5", "field": "rule.category", "value": "User generated error" } }, + { "set": { "if": "ctx.rule.level == 6", "field": "rule.category", "value": "Low relevance attack" } }, + { "set": { "if": "ctx.rule.level == 7", "field": "rule.category", "value": "\"Bad word\" matching" } }, + { "set": { "if": "ctx.rule.level == 8", "field": "rule.category", "value": "First time seen" } }, + { "set": { "if": "ctx.rule.level == 9", "field": "rule.category", "value": "Error from invalid source" } }, + { "set": { "if": "ctx.rule.level == 10", "field": "rule.category", "value": "Multiple user generated errors" } }, + { "set": { "if": "ctx.rule.level == 11", "field": "rule.category", "value": "Integrity checking warning" } }, + { "set": { "if": "ctx.rule.level == 12", "field": "rule.category", "value": "High importance event" } }, + { "set": { "if": "ctx.rule.level == 13", "field": "rule.category", "value": "Unusal error (high importance)" } }, + { "set": { "if": "ctx.rule.level == 14", "field": "rule.category", "value": "High importance security event" } }, + { "set": { "if": "ctx.rule.level == 15", "field": "rule.category", "value": "Severe attack" } }, + { "append": { "if": "ctx.rule.level != null", "field": "tags", "value": ["alert"] } }, + { "remove": { "field": [ "host", "predecoder", "decoder" ], "ignore_missing": true, "ignore_failure": false } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.common b/salt/elasticsearch/files/ingest/zeek.common new file mode 100644 index 000000000..cc854fab0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.common @@ -0,0 +1,24 @@ +{ + "description" : "zeek.common", + "processors" : [ + { "rename": { "field": "@timestamp", "target_field": "es.timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.uid", "target_field": "log.id.uid", "ignore_missing": true } }, + { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, + { "set": { "field": "client.ip", "value": "{{source.ip}}" } }, + { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, + { "set": { "field": "client.port", "value": "{{source.port}}" } }, + { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, + { "set": { "field": "server.ip", "value": "{{destination.ip}}" } }, + { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "set": { "field": "server.port", "value": "{{destination.port}}" } }, + { "set": { "field": "event.module", "value": "zeek" } }, + { "grok": { "field": "event_type", "patterns": ["zeek.%{WORD:event.dataset}"] } }, + { "date": { "field": "message2.ts", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "ignore_failure": true } }, + { "remove": { "field": ["message2.ts", "path"], "ignore_failure": true } }, + { "pipeline": { "name": "common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.common_ssl b/salt/elasticsearch/files/ingest/zeek.common_ssl new file mode 100644 index 000000000..c272f8eb4 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.common_ssl @@ -0,0 +1,58 @@ +{ + "description" : "zeek.common_ssl", + "processors" : [ + { + "kv": { + "field": "certificate_issuer", + "field_split": ",", + "value_split": "=", + "ignore_missing": true, + "ignore_failure": true, + "include_keys": [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ] + } + }, + { "rename":{ "field": "CN", "target_field": "issuer_common_name", "ignore_failure": true } }, + { "rename":{ "field": "C", "target_field": "issuer_country_code", "ignore_failure": true } }, + { "rename":{ "field": "O", "target_field": "issuer_organization", "ignore_failure": true } }, + { "rename":{ "field": "OU", "target_field": "issuer_organization_unit", "ignore_failure": true } }, + { "rename":{ "field": "ST", "target_field": "issuer_state", "ignore_failure": true } }, + { "rename":{ "field": "SN", "target_field": "issuer_surname", "ignore_failure": true } }, + { "rename":{ "field": "L", "target_field": "issuer_locality", "ignore_failure": true } }, + { "rename":{ "field": "DC", "target_field": "issuer_distinguised_name", "ignore_failure": true } }, + { "rename":{ "field": "GN", "target_field": "issuer_given_name", "ignore_failure": true } }, + { "rename":{ "field": "pseudonym", "target_field": "issuer_pseudonym", "ignore_failure": true } }, + { "rename":{ "field": "serialNumber", "target_field": "issuer_serial_number", "ignore_failure": true } }, + { "rename":{ "field": "title", "target_field": "issuer_title", "ignore_failure": true } }, + { "rename":{ "field": "initials", "target_field": "issuer_initials", "ignore_failure": true } }, + { + "kv": { + "field": "certificate_subject", + "field_split": ",", + "value_split": "=", + "ignore_missing": true, + "ignore_failure": true, + "include_keys": [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ] + } + }, + { "rename":{ "field": "CN", "target_field": "certificate_common_name", "ignore_failure": true } }, + { "rename":{ "field": "C", "target_field": "certificate_country_code", "ignore_failure": true } }, + { "rename":{ "field": "O", "target_field": "certificate_organization", "ignore_failure": true } }, + { "rename":{ "field": "OU", "target_field": "certificate_organization_unit","ignore_failure": true } }, + { "rename":{ "field": "ST", "target_field": "certificate_state", "ignore_failure": true } }, + { "rename":{ "field": "SN", "target_field": "certificate_surname", "ignore_failure": true } }, + { "rename":{ "field": "L", "target_field": "certificate_locality", "ignore_failure": true } }, + { "rename":{ "field": "GN", "target_field": "certificate_given_name", "ignore_failure": true } }, + { "rename":{ "field": "pseudonym", "target_field": "certificate_pseudonym", "ignore_failure": true } }, + { "rename":{ "field": "serialNumber", "target_field": "certificate_serial_number", "ignore_failure": true } }, + { "rename":{ "field": "title", "target_field": "certificate_title", "ignore_failure": true } }, + { "rename":{ "field": "initials", "target_field": "certificate_initials", "ignore_failure": true } }, + { "script":{ "lang": "painless", "source": "ctx.certificate_common_name_length = ctx.certificate_common_name.length()", "ignore_failure": true } }, + { "script":{ "lang": "painless", "source": "ctx.issuer_common_name_length = ctx.issuer_common_name.length()", "ignore_failure": true } }, + { "script":{ "lang": "painless", "source": "ctx.server_name_length = ctx.server_name.length()", "ignore_failure": true } }, + { + "pipeline": { + "name": "zeek.common" + } + } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn new file mode 100644 index 000000000..d7878aa0b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -0,0 +1,40 @@ +{ + "description" : "zeek.conn", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": false } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.service", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_bytes", "target_field": "client.bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_bytes", "target_field": "server.bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.conn_state", "target_field": "connection.state", "ignore_missing": true } }, + { "rename": { "field": "message2.local_orig", "target_field": "connection.local.originator", "ignore_missing": true } }, + { "rename": { "field": "message2.local_resp", "target_field": "connection.local.responder", "ignore_missing": true } }, + { "rename": { "field": "message2.missed_bytes", "target_field": "connection.bytes.missed", "ignore_missing": true } }, + { "rename": { "field": "message2.history", "target_field": "connection.history", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_pkts", "target_field": "client.packets", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.tunnel_parents", "target_field": "connection.tunnel_parents", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } }, + { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, + { "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } }, + { "script": { "lang": "painless", "source": "ctx.connection.bytes.total = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } }, + { "set": { "if": "ctx.connection.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } }, + { "set": { "if": "ctx.connection.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } }, + { "set": { "if": "ctx.connection.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } }, + { "set": { "if": "ctx.connection.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } }, + { "set": { "if": "ctx.connection.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } }, + { "set": { "if": "ctx.connection.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } }, + { "set": { "if": "ctx.connection.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } }, + { "set": { "if": "ctx.connection.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } }, + { "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } }, + { "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } }, + { "set": { "if": "ctx.connection.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } }, + { "set": { "if": "ctx.connection.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } }, + { "set": { "if": "ctx.connection.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.dce_rpc b/salt/elasticsearch/files/ingest/zeek.dce_rpc new file mode 100644 index 000000000..50c9ff459 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.dce_rpc @@ -0,0 +1,12 @@ +{ + "description" : "zeek.dce_rpc", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.rtt", "target_field": "event.duration", "ignore_missing": true } }, + { "rename": { "field": "message2.named_pipe", "target_field": "named_pipe", "ignore_missing": true } }, + { "rename": { "field": "message2.endpoint", "target_field": "endpoint", "ignore_missing": true } }, + { "rename": { "field": "message2.operation", "target_field": "operation", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.dhcp b/salt/elasticsearch/files/ingest/zeek.dhcp new file mode 100644 index 000000000..3005016ef --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.dhcp @@ -0,0 +1,21 @@ +{ + "description" : "zeek.dhcp", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.uids", "target_field": "log.id.uids", "ignore_missing": true } }, + { "rename": { "field": "message2.mac", "target_field": "host.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.lease_time", "target_field": "dhcp.lease_time", "ignore_missing": true } }, + { "rename": { "field": "message2.trans_id", "target_field": "dhcp.transaction_id", "ignore_missing": true } }, + { "rename": { "field": "message2.assigned_addr", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.client_addr", "target_field": "client.address", "ignore_missing": true } }, + { "rename": { "field": "message2.server_addr", "target_field": "server.address", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_addr", "target_field": "dhcp.requested_address", "ignore_missing": true } }, + { "rename": { "field": "message2.domain", "target_field": "host.domain", "ignore_missing": true } }, + { "rename": { "field": "message2.host_name", "target_field": "host.hostname", "ignore_missing": true } }, + { "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } }, + { "rename": { "field": "message2.msg_types", "target_field": "message_types", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.dnp3 b/salt/elasticsearch/files/ingest/zeek.dnp3 new file mode 100644 index 000000000..53186bdb6 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.dnp3 @@ -0,0 +1,11 @@ +{ + "description" : "zeek.dnp3", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.fc_request", "target_field": "fc_request", "ignore_missing": true } }, + { "rename": { "field": "message2.fc_reply", "target_field": "fc_reply", "ignore_missing": true } }, + { "rename": { "field": "message2.iin", "target_field": "iin", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns new file mode 100644 index 000000000..ecbb9f1e8 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -0,0 +1,28 @@ +{ + "description" : "zeek.dns", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.trans_id", "target_field": "dns.id", "ignore_missing": true } }, + { "rename": { "field": "message2.rtt", "target_field": "event.duration", "ignore_missing": true } }, + { "rename": { "field": "message2.query", "target_field": "dns.query.name", "ignore_missing": true } }, + { "rename": { "field": "message2.qclass", "target_field": "dns.query.class", "ignore_missing": true } }, + { "rename": { "field": "message2.qclass_name", "target_field": "dns.query.class_name", "ignore_missing": true } }, + { "rename": { "field": "message2.qtype", "target_field": "dns.query.type", "ignore_missing": true } }, + { "rename": { "field": "message2.qtype_name", "target_field": "dns.query.type_name", "ignore_missing": true } }, + { "rename": { "field": "message2.rcode", "target_field": "dns.response.code", "ignore_missing": true } }, + { "rename": { "field": "message2.rcode_name", "target_field": "dns.response.code_name", "ignore_missing": true } }, + { "rename": { "field": "message2.AA", "target_field": "dns.authoritative", "ignore_missing": true } }, + { "rename": { "field": "message2.TC", "target_field": "dns.truncated", "ignore_missing": true } }, + { "rename": { "field": "message2.RD", "target_field": "dns.recursion.desired", "ignore_missing": true } }, + { "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } }, + { "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } }, + { "rename": { "field": "message2.answers", "target_field": "dns.answers", "ignore_missing": true } }, + { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, + { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, + { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.dpd b/salt/elasticsearch/files/ingest/zeek.dpd new file mode 100644 index 000000000..ce46cdc47 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.dpd @@ -0,0 +1,20 @@ +{ + "description" : "zeek.dpd", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, + { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, + { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, + { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, + { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.analyzer", "target_field": "analyzer", "ignore_missing": true } }, + { "rename": { "field": "message2.failure_reason", "target_field": "failure_reason", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files new file mode 100644 index 000000000..546b0e128 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -0,0 +1,34 @@ +{ + "description" : "zeek.files", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, + { "rename": { "field": "message2.rx_hosts", "target_field": "file.receive_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.tx_hosts", "target_field": "file.transmit_ip", "ignore_missing": true } }, + { "set": { "field": "server.ip", "value": "{{source.ip}}", "ignore_failure": true } }, + { "set": { "field": "client.ip", "value": "{{destination.ip}}", "ignore_failure": true } }, + { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } }, + { "remove": { "field": "source", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } }, + { "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } }, + { "rename": { "field": "message2.analyzers", "target_field": "file.analyzer", "ignore_missing": true } }, + { "rename": { "field": "message2.mime_type", "target_field": "file.mime_type", "ignore_missing": true } }, + { "rename": { "field": "message2.filename", "target_field": "file.name", "ignore_missing": true } }, + { "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } }, + { "rename": { "field": "message2.local_orig", "target_field": "file.local_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "file.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.seen_bytes", "target_field": "file.bytes.seen", "ignore_missing": true } }, + { "rename": { "field": "message2.total_bytes", "target_field": "file.bytes.total", "ignore_missing": true } }, + { "rename": { "field": "message2.missing_bytes", "target_field": "file.bytes.missing", "ignore_missing": true } }, + { "rename": { "field": "message2.overflow_bytes", "target_field": "file.bytes.overflow", "ignore_missing": true } }, + { "rename": { "field": "message2.timedout", "target_field": "file.timed_out", "ignore_missing": true } }, + { "rename": { "field": "message2.parent_fuid", "target_field": "log.id.parent_fuid", "ignore_missing": true } }, + { "rename": { "field": "message2.md5", "target_field": "hash.md5", "ignore_missing": true } }, + { "rename": { "field": "message2.sha1", "target_field": "hash.sha1", "ignore_missing": true } }, + { "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } }, + { "rename": { "field": "message2.extracted_cutoff", "target_field": "file.extracted.cutoff", "ignore_missing": true } }, + { "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ftp b/salt/elasticsearch/files/ingest/zeek.ftp new file mode 100644 index 000000000..55f6b4029 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ftp @@ -0,0 +1,25 @@ +{ + "description" : "zeek.http", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.user", "target_field": "ftp.user", "ignore_missing": true } }, + { "rename": { "field": "message2.password", "target_field": "ftp.password", "ignore_missing": true } }, + { "rename": { "field": "message2.command", "target_field": "ftp.command", "ignore_missing": true } }, + { "rename": { "field": "message2.arg", "target_field": "ftp.argument", "ignore_missing": true } }, + { "rename": { "field": "message2.mime_type", "target_field": "file.mimetype", "ignore_missing": true } }, + { "rename": { "field": "message2.file_size", "target_field": "file.size", "ignore_missing": true } }, + { "rename": { "field": "message2.reply_code", "target_field": "server.reply_code", "ignore_missing": true } }, + { "rename": { "field": "message2.reply_msg", "target_field": "server.reply_message", "ignore_missing": true } }, + { "dot_expander": { "field": "data_channel.passive", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data_channel.passive","target_field": "ftp.data_channel_passive", "ignore_missing": true } }, + { "dot_expander": { "field": "data_channel.orig_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data_channel.orig_h","target_field": "ftp.data_channel_source.ip", "ignore_missing": true } }, + { "dot_expander": { "field": "data_channel.resp_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data_channel.resp_h","target_field": "ftp.data_channel_destination.ip", "ignore_missing": true } }, + { "dot_expander": { "field": "data_channel.resp_p", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.data_channel.resp_p","target_field": "ftp.data_channel_destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.http b/salt/elasticsearch/files/ingest/zeek.http new file mode 100644 index 000000000..1ac3ae42b --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.http @@ -0,0 +1,34 @@ +{ + "description" : "zeek.http", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } }, + { "rename": { "field": "message2.method", "target_field": "http.method", "ignore_missing": true } }, + { "rename": { "field": "message2.host", "target_field": "http.virtual_host", "ignore_missing": true } }, + { "rename": { "field": "message2.uri", "target_field": "http.uri", "ignore_missing": true } }, + { "rename": { "field": "message2.referrer", "target_field": "http.referrer", "ignore_missing": true } }, + { "rename": { "field": "message2.version", "target_field": "http.version", "ignore_missing": true } }, + { "rename": { "field": "message2.user_agent", "target_field": "http.useragent", "ignore_missing": true } }, + { "rename": { "field": "message2.request_body_len", "target_field": "http.request.body.length", "ignore_missing": true } }, + { "rename": { "field": "message2.response_body_len","target_field": "http.response.body.length", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code", "target_field": "http.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.status_msg", "target_field": "http.status_message", "ignore_missing": true } }, + { "rename": { "field": "message2.info_code", "target_field": "http.info_code", "ignore_missing": true } }, + { "rename": { "field": "message2.info_msg", "target_field": "http.info_message", "ignore_missing": true } }, + { "remove": { "field": "message2.tags", "ignore_failure": true } }, + { "rename": { "field": "message2.username", "target_field": "http.user", "ignore_missing": true } }, + { "rename": { "field": "message2.password", "target_field": "http.password", "ignore_missing": true } }, + { "rename": { "field": "message2.proxied", "target_field": "http.proxied", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_fuids", "target_field": "log.id.orig_fuids", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_filenames", "target_field": "file.orig_filenames", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_mime_types", "target_field": "file.orig_mime_types", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_fuids", "target_field": "log.id.resp_fuids", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_filenames", "target_field": "file.resp_filenames", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_mime_types", "target_field": "file.resp_mime_types", "ignore_missing": true } }, + { "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } }, + { "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } }, + { "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.intel b/salt/elasticsearch/files/ingest/zeek.intel new file mode 100644 index 000000000..1f6e7829e --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.intel @@ -0,0 +1,20 @@ +{ + "description" : "zeek.intel", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.seen.indicator", "target_field": "intel.indicator", "ignore_missing": true } }, + { "dot_expander": { "field": "seen.indicator_type", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.seen.indicator_type", "target_field": "intel.indicator_type", "ignore_missing": true } }, + { "dot_expander": { "field": "seen.where", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.seen.where", "target_field": "intel.seen_where", "ignore_missing": true } }, + { "dot_expander": { "field": "seen.node", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.seen.node", "target_field": "intel.seen_node", "ignore_missing": true } }, + { "rename": { "field": "message2.matched", "target_field": "intel.matched", "ignore_missing": true } }, + { "rename": { "field": "message2.sources", "target_field": "intel.sources", "ignore_missing": true } }, + { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, + { "rename": { "field": "message2.file_mime_type", "target_field": "file.mimetype", "ignore_missing": true } }, + { "rename": { "field": "message2.file_desc", "target_field": "file.description", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.irc b/salt/elasticsearch/files/ingest/zeek.irc new file mode 100644 index 000000000..3d40d7f80 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.irc @@ -0,0 +1,17 @@ +{ + "description" : "zeek.irc", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.nick", "target_field": "irc.nickname", "ignore_missing": true } }, + { "rename": { "field": "message2.user", "target_field": "irc.username", "ignore_missing": true } }, + { "rename": { "field": "message2.command", "target_field": "irc.command.type", "ignore_missing": true } }, + { "rename": { "field": "message2.value", "target_field": "irc.command.value", "ignore_missing": true } }, + { "rename": { "field": "message2.addl", "target_field": "irc.command.info", "ignore_missing": true } }, + { "rename": { "field": "message2.dcc_file_name", "target_field": "file.name", "ignore_missing": true } }, + { "rename": { "field": "message2.dcc_file_size", "target_field": "file.size", "ignore_missing": true } }, + { "rename": { "field": "message2.dcc_mime_type", "target_field": "file.mime_type", "ignore_missing": true } }, + { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.kerberos b/salt/elasticsearch/files/ingest/zeek.kerberos new file mode 100644 index 000000000..33381cd2d --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.kerberos @@ -0,0 +1,22 @@ +{ + "description" : "zeek.kerberos", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.request_type", "target_field": "kerberos.request_type", "ignore_missing": true } }, + { "rename": { "field": "message2.client", "target_field": "kerberos.client", "ignore_missing": true } }, + { "rename": { "field": "message2.service", "target_field": "kerberos.service", "ignore_missing": true } }, + { "rename": { "field": "message2.success", "target_field": "kerberos.success", "ignore_missing": true } }, + { "rename": { "field": "message2.error_msg", "target_field": "kerberos.error_message", "ignore_missing": true } }, + { "rename": { "field": "message2.from", "target_field": "kerberos.ticket.valid.from", "ignore_missing": true } }, + { "rename": { "field": "message2.till", "target_field": "kerberos.ticket.valid.until", "ignore_missing": true } }, + { "rename": { "field": "message2.cipher", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, + { "rename": { "field": "message2.forwardable", "target_field": "kerberos.ticket.forwardable", "ignore_missing": true } }, + { "rename": { "field": "message2.renewable", "target_field": "kerberos.ticket.renewable", "ignore_missing": true } }, + { "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.client_cert_fuid", "target_field": "log.id.client_certificate_fuid", "ignore_missing": true } }, + { "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.server_cert_fuid", "target_field": "log.id.server_certificate_fuid", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.modbus b/salt/elasticsearch/files/ingest/zeek.modbus new file mode 100644 index 000000000..a9dd91430 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.modbus @@ -0,0 +1,10 @@ +{ + "description" : "zeek.modbus", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } }, + { "rename": { "field": "message2.exception", "target_field": "modbus.exception", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.mysql b/salt/elasticsearch/files/ingest/zeek.mysql new file mode 100644 index 000000000..e950d5f64 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.mysql @@ -0,0 +1,13 @@ +{ + "description" : "zeek.mysql", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.cmd", "target_field": "mysql.command", "ignore_missing": true } }, + { "rename": { "field": "message2.arg", "target_field": "mysql.argument", "ignore_missing": true } }, + { "rename": { "field": "message2.success", "target_field": "mysql.success", "ignore_missing": true } }, + { "rename": { "field": "message2.rows", "target_field": "mysql.rows", "ignore_missing": true } }, + { "rename": { "field": "message2.response", "target_field": "mysql.response", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.notice b/salt/elasticsearch/files/ingest/zeek.notice new file mode 100644 index 000000000..24146bf5d --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.notice @@ -0,0 +1,26 @@ +{ + "description" : "zeek.notice", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, + { "rename": { "field": "message2.mime", "target_field": "file.mimetype", "ignore_missing": true } }, + { "rename": { "field": "message2.desc", "target_field": "file.description", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, + { "rename": { "field": "message2.msg", "target_field": "msg", "ignore_missing": true } }, + { "rename": { "field": "message2.sub", "target_field": "sub_msg", "ignore_missing": true } }, + { "rename": { "field": "message2.p", "target_field": "p", "ignore_missing": true } }, + { "rename": { "field": "message2.n", "target_field": "n", "ignore_missing": true } }, + { "rename": { "field": "message2.peer_descr", "target_field": "peer_description", "ignore_missing": true } }, + { "rename": { "field": "message2.actions", "target_field": "action", "ignore_missing": true } }, + { "rename": { "field": "message2.suppress_for", "target_field": "suppress_for", "ignore_missing": true } }, + { "rename": { "field": "message2.dropped", "target_field": "dropped", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_country_code", "target_field": "destination_country_code", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_region", "target_field": "destination_region", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_city", "target_field": "destination_city", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_latitude", "target_field": "destination_latitude", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_longitude", "target_field": "destination_longitude", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ntlm b/salt/elasticsearch/files/ingest/zeek.ntlm new file mode 100644 index 000000000..c8f2e37c0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ntlm @@ -0,0 +1,16 @@ +{ + "description" : "zeek.ntlm", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.hostname", "target_field": "host.name", "ignore_missing": true } }, + { "rename": { "field": "message2.domainname", "target_field": "host.domain", "ignore_missing": true } }, + { "rename": { "field": "message2.success", "target_field": "ntlm.success", "ignore_missing": true } }, + { "rename": { "field": "message2.status", "target_field": "ntlm.status", "ignore_missing": true } }, + { "rename": { "field": "message2.username", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "message2.server_dns_computer_name", "target_field": "ntlm.server.dns.name", "ignore_missing": true } }, + { "rename": { "field": "message2.server_nb_computer_name", "target_field": "ntlm.server.nb.name", "ignore_missing": true } }, + { "rename": { "field": "message2.server_tree_name", "target_field": "ntlm.server.tree.name", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.pe b/salt/elasticsearch/files/ingest/zeek.pe new file mode 100644 index 000000000..84f833742 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.pe @@ -0,0 +1,24 @@ +{ + "description" : "zeek.pe", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } }, + { "rename": { "field": "message2.machine", "target_field": "file.machine", "ignore_missing": true } }, + { "rename": { "field": "message2.compile_ts", "target_field": "file.compile_timestamp", "ignore_missing": true } }, + { "rename": { "field": "message2.os", "target_field": "file.os", "ignore_missing": true } }, + { "rename": { "field": "message2.subsystem", "target_field": "file.subsystem", "ignore_missing": true } }, + { "rename": { "field": "message2.is_exe", "target_field": "file.is_exe", "ignore_missing": true } }, + { "rename": { "field": "message2.is_64bit", "target_field": "file.is_64bit", "ignore_missing": true } }, + { "rename": { "field": "message2.uses_aslr", "target_field": "file.aslr", "ignore_missing": true } }, + { "rename": { "field": "message2.uses_dep", "target_field": "file.dep", "ignore_missing": true } }, + { "rename": { "field": "message2.uses_code_integrity","target_field": "file.code_integrity","ignore_missing": true } }, + { "rename": { "field": "message2.uses_seh", "target_field": "file.seh", "ignore_missing": true } }, + { "rename": { "field": "message2.has_import_table", "target_field": "file.table.import", "ignore_missing": true } }, + { "rename": { "field": "message2.has_export_table", "target_field": "file.table.export", "ignore_missing": true } }, + { "rename": { "field": "message2.has_cert_table", "target_field": "file.table.cert", "ignore_missing": true } }, + { "rename": { "field": "message2.has_debug_data", "target_field": "file.debug_data", "ignore_missing": true } }, + { "rename": { "field": "message2.section_names", "target_field": "file.section_names", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.radius b/salt/elasticsearch/files/ingest/zeek.radius new file mode 100644 index 000000000..c74330690 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.radius @@ -0,0 +1,16 @@ +{ + "description" : "zeek.radius", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.username", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "message2.mac", "target_field": "host.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.framed_addr", "target_field": "framed_addr", "ignore_missing": true } }, + { "rename": { "field": "message2.remote_ip", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.connect_info", "target_field": "radius.connect_info", "ignore_missing": true } }, + { "rename": { "field": "message2.reply_msg", "target_field": "radius.reply_message", "ignore_missing": true } }, + { "rename": { "field": "message2.result", "target_field": "radius.result", "ignore_missing": true } }, + { "rename": { "field": "message2.logged", "target_field": "radius.logged", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.rdp b/salt/elasticsearch/files/ingest/zeek.rdp new file mode 100644 index 000000000..ce792f32a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.rdp @@ -0,0 +1,23 @@ +{ + "description" : "zeek.rdp", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.cookie", "target_field": "rdp.cookie", "ignore_missing": true } }, + { "rename": { "field": "message2.result", "target_field": "rdp.result", "ignore_missing": true } }, + { "rename": { "field": "message2.security_protocol","target_field": "rdp.security_protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.keyboard_layout", "target_field": "rdp.keyboard_layout", "ignore_missing": true } }, + { "rename": { "field": "message2.client_build", "target_field": "rdp.client_build", "ignore_missing": true } }, + { "rename": { "field": "message2.client_name", "target_field": "client.name", "ignore_missing": true } }, + { "rename": { "field": "message2.client_dig_product_id", "target_field": "client.id.product", "ignore_missing": true } }, + { "rename": { "field": "message2.desktop_width", "target_field": "rdp.desktop.width", "ignore_missing": true } }, + { "rename": { "field": "message2.desktop_height", "target_field": "rdp.desktop.height", "ignore_missing": true } }, + { "rename": { "field": "message2.requested_color_depth", "target_field": "rdp.requested_color_depth", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_type", "target_field": "rdp.certificate_type", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_count", "target_field": "rdp.certificate_count", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_permanent", "target_field": "rdp.certificate_permanent","ignore_missing": true } }, + { "rename": { "field": "message2.encryption_level", "target_field": "rdp.encryption_level", "ignore_missing": true } }, + { "rename": { "field": "message2.encryption_method","target_field": "rdp.encryption_method", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.rfb b/salt/elasticsearch/files/ingest/zeek.rfb new file mode 100644 index 000000000..86c0a816c --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.rfb @@ -0,0 +1,18 @@ +{ + "description" : "zeek.rfb", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.client_major_version", "target_field": "rfb.client_major_version", "ignore_missing": true } }, + { "rename": { "field": "message2.client_minor_version", "target_field": "rfb.client_minor_version", "ignore_missing": true } }, + { "rename": { "field": "message2.server_major_version", "target_field": "rfb.server_major_version", "ignore_missing": true } }, + { "rename": { "field": "message2.server_minor_version", "target_field": "rfb.server_minor_version", "ignore_missing": true } }, + { "rename": { "field": "message2.authentication_method", "target_field": "rfb.authentication.method","ignore_missing": true } }, + { "rename": { "field": "message2.auth", "target_field": "rfb.authenticaiton.success", "ignore_missing": true } }, + { "rename": { "field": "message2.share_flag", "target_field": "rfb.share_flag", "ignore_missing": true } }, + { "rename": { "field": "message2.desktop_name", "target_field": "rfb.desktop.name", "ignore_missing": true } }, + { "rename": { "field": "message2.width", "target_field": "rfb.desktop.width", "ignore_missing": true } }, + { "rename": { "field": "message2.height", "target_field": "rfb.desktop.height", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.signatures b/salt/elasticsearch/files/ingest/zeek.signatures new file mode 100644 index 000000000..2a5f23ec7 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.signatures @@ -0,0 +1,14 @@ +{ + "description" : "zeek.signatures", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, + { "rename": { "field": "message2.sig_id", "target_field": "signature_id", "ignore_missing": true } }, + { "rename": { "field": "message2.event_msg", "target_field": "event_message", "ignore_missing": true } }, + { "rename": { "field": "message2.sub_msg", "target_field": "sub_message", "ignore_missing": true } }, + { "rename": { "field": "message2.sig_count", "target_field": "signature_count", "ignore_missing": true } }, + { "rename": { "field": "message2.host_count", "target_field": "host.count", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.sip b/salt/elasticsearch/files/ingest/zeek.sip new file mode 100644 index 000000000..5a8627878 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.sip @@ -0,0 +1,29 @@ +{ + "description" : "zeek.sip", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.trans_depth", "target_field": "sip.transaction.depth", "ignore_missing": true } }, + { "rename": { "field": "message2.method", "target_field": "sip.method", "ignore_missing": true } }, + { "rename": { "field": "message2.uri", "target_field": "sip.uri", "ignore_missing": true } }, + { "rename": { "field": "message2.date", "target_field": "sip.date", "ignore_missing": true } }, + { "rename": { "field": "message2.request_from", "target_field": "sip.request.from", "ignore_missing": true } }, + { "rename": { "field": "message2.request_to", "target_field": "sip.request.to", "ignore_missing": true } }, + { "rename": { "field": "message2.response_from", "target_field": "sip.response.from", "ignore_missing": true } }, + { "rename": { "field": "message2.response_to", "target_field": "sip.response.to", "ignore_missing": true } }, + { "rename": { "field": "message2.reply_to", "target_field": "sip.reply_to", "ignore_missing": true } }, + { "rename": { "field": "message2.call_id", "target_field": "sip.call_id", "ignore_missing": true } }, + { "rename": { "field": "message2.seq", "target_field": "sip.seq", "ignore_missing": true } }, + { "rename": { "field": "message2.subject", "target_field": "sip.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.request_path", "target_field": "sip.request.path", "ignore_missing": true } }, + { "rename": { "field": "message2.response_path", "target_field": "sip.response.path", "ignore_missing": true } }, + { "rename": { "field": "message2.user_agent", "target_field": "client.user_agent", "ignore_missing": true } }, + { "rename": { "field": "message2.status_code", "target_field": "server.status_code", "ignore_missing": true } }, + { "rename": { "field": "message2.status_msg", "target_field": "server.status_message", "ignore_missing": true } }, + { "rename": { "field": "message2.warning", "target_field": "sip.warning", "ignore_missing": true } }, + { "rename": { "field": "message2.request_body_len", "target_field": "sip.request.body.length", "ignore_missing": true } }, + { "rename": { "field": "message2.response_body_len","target_field": "sip.response.body.length", "ignore_missing": true } }, + { "rename": { "field": "message2.content_type", "target_field": "sip.content_type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.smb_files b/salt/elasticsearch/files/ingest/zeek.smb_files new file mode 100644 index 000000000..da78953fe --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.smb_files @@ -0,0 +1,23 @@ +{ + "description" : "zeek.smb_files", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, + { "rename": { "field": "message2.action", "target_field": "file.action", "ignore_missing": true } }, + { "remove": { "field": "path", "ignore_failure": true } }, + { "rename": { "field": "message2.path", "target_field": "file.path", "ignore_missing": true } }, + { "rename": { "field": "message2.name", "target_field": "file.name", "ignore_missing": true } }, + { "rename": { "field": "message2.size", "target_field": "file.size", "ignore_missing": true } }, + { "rename": { "field": "message2.prev_name", "target_field": "file.previous_name", "ignore_missing": true } }, + { "dot_expander": { "field": "times.modified", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.times.modified", "target_field": "file.times_modified", "ignore_missing": true } }, + { "dot_expander": { "field": "times.accessed", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.times.accessed", "target_field": "file.times_accessed", "ignore_missing": true } }, + { "dot_expander": { "field": "times.created", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.times.created", "target_field": "file.times_created", "ignore_missing": true } }, + { "dot_expander": { "field": "times.changed", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.times.changed", "target_field": "file.times_changed", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.smb_mapping b/salt/elasticsearch/files/ingest/zeek.smb_mapping new file mode 100644 index 000000000..0242ab8f8 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.smb_mapping @@ -0,0 +1,12 @@ +{ + "description" : "zeek.smb_files", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.path", "target_field": "smb.path", "ignore_missing": true } }, + { "rename": { "field": "message2.service", "target_field": "smb.service", "ignore_missing": true } }, + { "rename": { "field": "message2.native_file_system", "target_field": "smb.file_system", "ignore_missing": true } }, + { "rename": { "field": "message2.share_type", "target_field": "smb.share_type", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.smtp b/salt/elasticsearch/files/ingest/zeek.smtp new file mode 100644 index 000000000..473b4cce5 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.smtp @@ -0,0 +1,30 @@ +{ + "description" : "zeek.smtp", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "remove": { "field": "path", "ignore_failure": true } }, + { "rename": { "field": "message2.trans_depth", "target_field": "smtp.transaction_depth", "ignore_missing": true } }, + { "rename": { "field": "message2.helo", "target_field": "smtp.helo", "ignore_missing": true } }, + { "rename": { "field": "message2.mailfrom", "target_field": "smtp.mail_from", "ignore_missing": true } }, + { "rename": { "field": "message2.rcptto", "target_field": "smtp.recipient_to", "ignore_missing": true } }, + { "rename": { "field": "message2.date", "target_field": "smtp.mail_date", "ignore_missing": true } }, + { "rename": { "field": "message2.from", "target_field": "smtp.from", "ignore_missing": true } }, + { "rename": { "field": "message2.to", "target_field": "smtp.to", "ignore_missing": true } }, + { "rename": { "field": "message2.cc", "target_field": "smtp.cc", "ignore_missing": true } }, + { "rename": { "field": "message2.reply_to", "target_field": "smtp.reply_to", "ignore_missing": true } }, + { "rename": { "field": "message2.msg_id", "target_field": "smtp.message_id", "ignore_missing": true } }, + { "rename": { "field": "message2.in_reply_to", "target_field": "smtp.in_reply_to", "ignore_missing": true } }, + { "rename": { "field": "message2.subject", "target_field": "smtp.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.x_originating_ip", "target_field": "smtp.x_originating_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.first_received", "target_field": "smtp.first_received", "ignore_missing": true } }, + { "rename": { "field": "message2.second_received", "target_field": "smtp.second_received", "ignore_missing": true } }, + { "rename": { "field": "message2.last_reply", "target_field": "smtp.last_reply", "ignore_missing": true } }, + { "rename": { "field": "message2.path", "target_field": "smtp.path", "ignore_missing": true } }, + { "rename": { "field": "message2.user_agent", "target_field": "smtp.useragent", "ignore_missing": true } }, + { "rename": { "field": "message2.tls", "target_field": "smtp.tls", "ignore_missing": true } }, + { "rename": { "field": "message2.fuids", "target_field": "log.id.fuids", "ignore_missing": true } }, + { "rename": { "field": "message2.is_webmail", "target_field": "smtp.is_webmail", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.snmp b/salt/elasticsearch/files/ingest/zeek.snmp new file mode 100644 index 000000000..664bc4112 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.snmp @@ -0,0 +1,17 @@ +{ + "description" : "zeek.snmp", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } }, + { "rename": { "field": "message2.version", "target_field": "snmp.version", "ignore_missing": true } }, + { "rename": { "field": "message2.community", "target_field": "snmp.community", "ignore_missing": true } }, + { "rename": { "field": "message2.get_requests", "target_field": "snmp.get.requests", "ignore_missing": true } }, + { "rename": { "field": "message2.get_bulk_requests","target_field": "snmp.get.bulk_requests", "ignore_missing": true } }, + { "rename": { "field": "message2.get_responses", "target_field": "snmp.get.responses", "ignore_missing": true } }, + { "rename": { "field": "message2.set_requests", "target_field": "snmp.set.requests", "ignore_missing": true } }, + { "rename": { "field": "message2.display_string", "target_field": "snmp.display_string", "ignore_missing": true } }, + { "rename": { "field": "message2.up_since", "target_field": "snmp.up_since", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.socks b/salt/elasticsearch/files/ingest/zeek.socks new file mode 100644 index 000000000..6ccfa0d1a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.socks @@ -0,0 +1,20 @@ +{ + "description" : "zeek.socks", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version", "target_field": "socks.version", "ignore_missing": true } }, + { "rename": { "field": "message2.user", "target_field": "socks.user", "ignore_missing": true } }, + { "rename": { "field": "message2.password", "target_field": "socks.password", "ignore_missing": true } }, + { "rename": { "field": "message2.status", "target_field": "socks.status", "ignore_missing": true } }, + { "rename": { "field": "message2.request_host", "target_field": "socks.request.host", "ignore_missing": true } }, + { "dot_expander": { "field": "request.name", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.request.name", "target_field": "socks.request.name", "ignore_missing": true } }, + { "rename": { "field": "message2.request_p", "target_field": "socks.request.port", "ignore_missing": true } }, + { "dot_expander": { "field": "bound.host", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.bound.host", "target_field": "socks.bound.host", "ignore_missing": true } }, + { "rename": { "field": "message2.bound_name", "target_field": "socks.bound.name", "ignore_missing": true } }, + { "rename": { "field": "message2.bound_p", "target_field": "socks.bound.port", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.software b/salt/elasticsearch/files/ingest/zeek.software new file mode 100644 index 000000000..16a2ae1f1 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.software @@ -0,0 +1,23 @@ +{ + "description" : "zeek.software", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "dot_expander": { "field": "version.major", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version.major", "target_field": "software.version.major", "ignore_missing": true } }, + { "dot_expander": { "field": "version.minor", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version.minor", "target_field": "software.version.minor", "ignore_missing": true } }, + { "dot_expander": { "field": "version.minor2", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version.minor2", "target_field": "software.version.minor2", "ignore_missing": true } }, + { "dot_expander": { "field": "version.minor3", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version.minor3", "target_field": "version.minor3", "ignore_missing": true } }, + { "dot_expander": { "field": "version.addl", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version.addl", "target_field": "software.version.additional_info", "ignore_missing": true } }, + { "rename": { "field": "message2.host", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.host_p", "target_field": "source.port", "ignore_missing": true } }, + { "rename": { "field": "message2.software_type", "target_field": "software.type", "ignore_missing": true } }, + { "rename": { "field": "message2.name", "target_field": "software.name", "ignore_missing": true } }, + { "rename": { "field": "message2.unparsed_version", "target_field": "software.version.unparsed", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ssh b/salt/elasticsearch/files/ingest/zeek.ssh new file mode 100644 index 000000000..f4685de74 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ssh @@ -0,0 +1,32 @@ +{ + "description" : "zeek.conn", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version", "target_field": "ssh.version", "ignore_missing": true } }, + { "rename": { "field": "message2.hassh", "target_field": "hash.hassh", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_success", "target_field": "ssh.authentication.success", "ignore_missing": true } }, + { "rename": { "field": "message2.auth_attempts", "target_field": "ssh.authentication.attempts", "ignore_missing": true } }, + { "rename": { "field": "message2.direction", "target_field": "ssh.direction", "ignore_missing": true } }, + { "rename": { "field": "message2.client", "target_field": "ssh.client", "ignore_missing": true } }, + { "rename": { "field": "message2.server", "target_field": "ssh.server", "ignore_missing": true } }, + { "rename": { "field": "message2.cipher_alg", "target_field": "ssh.cipher_algorithm", "ignore_missing": true } }, + { "rename": { "field": "message2.compression_alg", "target_field": "ssh.compression_algorithm", "ignore_missing": true } }, + { "rename": { "field": "message2.cshka", "target_field": "ssh.client_host_key_algorithms", "ignore_missing": true } }, + { "rename": { "field": "message2.host_key_alg", "target_field": "ssh.host_key_algorithm", "ignore_missing": true } }, + { "rename": { "field": "message2.hasshAlgorithms", "target_field": "ssh.hassh_algorithms", "ignore_missing": true } }, + { "rename": { "field": "message2.hasshServer", "target_field": "ssh.hassh_server", "ignore_missing": true } }, + { "rename": { "field": "message2.hasshVersion", "target_field": "ssh.hassh_version", "ignore_missing": true } }, + { "rename": { "field": "message2.kex_alg", "target_field": "ssh.kex_algorithm", "ignore_missing": true } }, + { "rename": { "field": "message2.mac_alg", "target_field": "ssh.mac_algorithm", "ignore_missing": true } }, + { "rename": { "field": "message2.sshka", "target_field": "ssh.server_host_key_algorithms", "ignore_missing": true } }, + { "rename": { "field": "message2.host_key", "target_field": "ssh.host_key", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_region", "target_field": "destination.region", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_city", "target_field": "destination.city", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_latitude", "target_field": "destination.latitude", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_longitude", "target_field": "destination.longitude", "ignore_missing": true } }, + { "rename": { "field": "message2.destination_country_code", "target_field": "destination.country_code", "ignore_missing": true } }, + { "rename": { "field": "message2.hasshServerAlgorithms", "target_field": "ssh.hassh_server_algorithms", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.ssl b/salt/elasticsearch/files/ingest/zeek.ssl new file mode 100644 index 000000000..e51fd4591 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ssl @@ -0,0 +1,25 @@ +{ + "description" : "zeek.ssl", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } }, + { "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } }, + { "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } }, + { "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } }, + { "rename": { "field": "message2.resumed", "target_field": "ssl.resumed", "ignore_missing": true } }, + { "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } }, + { "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } }, + { "rename": { "field": "message2.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } }, + { "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } }, + { "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } }, + { "rename": { "field": "message2.client_subject", "target_field": "ssl.client.subject", "ignore_missing": true } }, + { "rename": { "field": "message2.client_issuer", "target_field": "ssl.client.issuer", "ignore_missing": true } }, + { "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } }, + { "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } }, + { "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common_ssl" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.syslog b/salt/elasticsearch/files/ingest/zeek.syslog new file mode 100644 index 000000000..e32b89c7e --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.syslog @@ -0,0 +1,13 @@ +{ + "description" : "zeek.syslog", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.facility", "target_field": "syslog.facility", "ignore_missing": true } }, + { "rename": { "field": "message2.severity", "target_field": "syslog.severity", "ignore_missing": true } }, + { "remove": { "field": "message", "ignore_failure": true } }, + { "rename": { "field": "message2.message", "target_field": "message", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.tunnel b/salt/elasticsearch/files/ingest/zeek.tunnel new file mode 100644 index 000000000..78eb6eba8 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.tunnel @@ -0,0 +1,8 @@ +{ + "description" : "zeek.tunnel", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "set": { "field": "event_type", "value": "zeek.tunnels" } }, + { "pipeline": { "name": "zeek.tunnels" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.tunnels b/salt/elasticsearch/files/ingest/zeek.tunnels new file mode 100644 index 000000000..5d8b7f8bf --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.tunnels @@ -0,0 +1,19 @@ +{ + "description" : "zeek.tunnels", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, + { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, + { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, + { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, + { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "message2.tunnel_type", "target_field": "tunnel_type", "ignore_missing": true } }, + { "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.weird b/salt/elasticsearch/files/ingest/zeek.weird new file mode 100644 index 000000000..43d552888 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.weird @@ -0,0 +1,12 @@ +{ + "description" : "zeek.weird", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.name", "target_field": "weird.name", "ignore_missing": true } }, + { "rename": { "field": "message2.addl", "target_field": "weird.additional_info", "ignore_missing": true } }, + { "rename": { "field": "message2.notice", "target_field": "weird.notice", "ignore_missing": true } }, + { "rename": { "field": "message2.peer", "target_field": "weird.peer", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.x509 b/salt/elasticsearch/files/ingest/zeek.x509 new file mode 100644 index 000000000..9c4c4aa1d --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.x509 @@ -0,0 +1,45 @@ +{ + "description" : "zeek.x509", + "processors" : [ + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.id", "target_field": "id", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.serial", "target_field": "x509.certificate.serial", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.subject", "target_field": "x509.certificate.subject", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.issuer", "target_field": "x509.certificate.issuer", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.not_valid_before", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.not_valid_after", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.key_alg", "target_field": "x509.certificate.key.algorithm", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.sig_alg", "target_field": "x509.certificate.signing_algorithm", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.key_type", "target_field": "x509.certificate.key.type", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.key_length", "target_field": "x509.certificate.key.length", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.exponent", "target_field": "x509.certificate.exponent", "ignore_missing": true } }, + { "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.certificate.curve", "target_field": "x509.certificate.curve", "ignore_missing": true } }, + { "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.san.dns", "target_field": "x509.san_dns", "ignore_missing": true } }, + { "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.san.uri", "target_field": "x509.san_uri", "ignore_missing": true } }, + { "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.san.email", "target_field": "x509.san_email", "ignore_missing": true } }, + { "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.san.ip", "target_field": "x509.san_ip", "ignore_missing": true } }, + { "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.basic_constraints.ca", "target_field": "x509.basic_constraints.ca", "ignore_missing": true } }, + { "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common_ssl" } } + ] +} From 648b0ba790fa07031fc38f09c05c8a6e1b994e70 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 11 Mar 2020 12:14:22 +0000 Subject: [PATCH 5/5] remove old config --- salt/elasticsearch/files/ingest/bro_common | 9 --- .../elasticsearch/files/ingest/bro_common_ssl | 58 ------------------- salt/elasticsearch/files/ingest/bro_conn | 48 --------------- salt/elasticsearch/files/ingest/bro_dce_rpc | 20 ------- salt/elasticsearch/files/ingest/bro_dhcp | 20 ------- salt/elasticsearch/files/ingest/bro_dnp3 | 19 ------ salt/elasticsearch/files/ingest/bro_dns | 35 ----------- salt/elasticsearch/files/ingest/bro_dpd | 19 ------ salt/elasticsearch/files/ingest/bro_files | 32 ---------- salt/elasticsearch/files/ingest/bro_ftp | 33 ----------- salt/elasticsearch/files/ingest/bro_http | 42 -------------- salt/elasticsearch/files/ingest/bro_intel | 29 ---------- salt/elasticsearch/files/ingest/bro_irc | 25 -------- salt/elasticsearch/files/ingest/bro_kerberos | 30 ---------- salt/elasticsearch/files/ingest/bro_modbus | 18 ------ salt/elasticsearch/files/ingest/bro_mysql | 21 ------- salt/elasticsearch/files/ingest/bro_notice | 36 ------------ salt/elasticsearch/files/ingest/bro_ntlm | 24 -------- salt/elasticsearch/files/ingest/bro_pe | 23 -------- salt/elasticsearch/files/ingest/bro_radius | 25 -------- salt/elasticsearch/files/ingest/bro_rdp | 31 ---------- salt/elasticsearch/files/ingest/bro_rfb | 26 --------- .../elasticsearch/files/ingest/bro_signatures | 22 ------- salt/elasticsearch/files/ingest/bro_sip | 37 ------------ salt/elasticsearch/files/ingest/bro_smb_files | 31 ---------- .../files/ingest/bro_smb_mapping | 21 ------- salt/elasticsearch/files/ingest/bro_smtp | 38 ------------ salt/elasticsearch/files/ingest/bro_snmp | 25 -------- salt/elasticsearch/files/ingest/bro_socks | 28 --------- salt/elasticsearch/files/ingest/bro_software | 23 -------- salt/elasticsearch/files/ingest/bro_ssh | 40 ------------- salt/elasticsearch/files/ingest/bro_ssl | 33 ----------- salt/elasticsearch/files/ingest/bro_syslog | 21 ------- salt/elasticsearch/files/ingest/bro_tunnel | 7 --- salt/elasticsearch/files/ingest/bro_tunnels | 18 ------ salt/elasticsearch/files/ingest/bro_weird | 20 ------- salt/elasticsearch/files/ingest/bro_x509 | 44 -------------- 37 files changed, 1031 deletions(-) delete mode 100644 salt/elasticsearch/files/ingest/bro_common delete mode 100644 salt/elasticsearch/files/ingest/bro_common_ssl delete mode 100644 salt/elasticsearch/files/ingest/bro_conn delete mode 100644 salt/elasticsearch/files/ingest/bro_dce_rpc delete mode 100644 salt/elasticsearch/files/ingest/bro_dhcp delete mode 100644 salt/elasticsearch/files/ingest/bro_dnp3 delete mode 100644 salt/elasticsearch/files/ingest/bro_dns delete mode 100644 salt/elasticsearch/files/ingest/bro_dpd delete mode 100644 salt/elasticsearch/files/ingest/bro_files delete mode 100644 salt/elasticsearch/files/ingest/bro_ftp delete mode 100644 salt/elasticsearch/files/ingest/bro_http delete mode 100644 salt/elasticsearch/files/ingest/bro_intel delete mode 100644 salt/elasticsearch/files/ingest/bro_irc delete mode 100644 salt/elasticsearch/files/ingest/bro_kerberos delete mode 100644 salt/elasticsearch/files/ingest/bro_modbus delete mode 100644 salt/elasticsearch/files/ingest/bro_mysql delete mode 100644 salt/elasticsearch/files/ingest/bro_notice delete mode 100644 salt/elasticsearch/files/ingest/bro_ntlm delete mode 100644 salt/elasticsearch/files/ingest/bro_pe delete mode 100644 salt/elasticsearch/files/ingest/bro_radius delete mode 100644 salt/elasticsearch/files/ingest/bro_rdp delete mode 100644 salt/elasticsearch/files/ingest/bro_rfb delete mode 100644 salt/elasticsearch/files/ingest/bro_signatures delete mode 100644 salt/elasticsearch/files/ingest/bro_sip delete mode 100644 salt/elasticsearch/files/ingest/bro_smb_files delete mode 100644 salt/elasticsearch/files/ingest/bro_smb_mapping delete mode 100644 salt/elasticsearch/files/ingest/bro_smtp delete mode 100644 salt/elasticsearch/files/ingest/bro_snmp delete mode 100644 salt/elasticsearch/files/ingest/bro_socks delete mode 100644 salt/elasticsearch/files/ingest/bro_software delete mode 100644 salt/elasticsearch/files/ingest/bro_ssh delete mode 100644 salt/elasticsearch/files/ingest/bro_ssl delete mode 100644 salt/elasticsearch/files/ingest/bro_syslog delete mode 100644 salt/elasticsearch/files/ingest/bro_tunnel delete mode 100644 salt/elasticsearch/files/ingest/bro_tunnels delete mode 100644 salt/elasticsearch/files/ingest/bro_weird delete mode 100644 salt/elasticsearch/files/ingest/bro_x509 diff --git a/salt/elasticsearch/files/ingest/bro_common b/salt/elasticsearch/files/ingest/bro_common deleted file mode 100644 index 98618ce56..000000000 --- a/salt/elasticsearch/files/ingest/bro_common +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description" : "bro_common", - "processors" : [ - { "rename": { "field": "@timestamp", "target_field": "timestamp", "ignore_missing": true } }, - { "date": { "field": "message2.ts", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "ignore_failure": true } }, - { "remove": { "field": "message2.ts", "ignore_failure": true } }, - { "pipeline": { "name": "common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_common_ssl b/salt/elasticsearch/files/ingest/bro_common_ssl deleted file mode 100644 index faf1666ac..000000000 --- a/salt/elasticsearch/files/ingest/bro_common_ssl +++ /dev/null @@ -1,58 +0,0 @@ -{ - "description" : "bro_common_ssl", - "processors" : [ - { - "kv": { - "field": "certificate_issuer", - "field_split": ",", - "value_split": "=", - "ignore_missing": true, - "ignore_failure": true, - "include_keys": [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ] - } - }, - { "rename":{ "field": "CN", "target_field": "issuer_common_name", "ignore_failure": true } }, - { "rename":{ "field": "C", "target_field": "issuer_country_code", "ignore_failure": true } }, - { "rename":{ "field": "O", "target_field": "issuer_organization", "ignore_failure": true } }, - { "rename":{ "field": "OU", "target_field": "issuer_organization_unit", "ignore_failure": true } }, - { "rename":{ "field": "ST", "target_field": "issuer_state", "ignore_failure": true } }, - { "rename":{ "field": "SN", "target_field": "issuer_surname", "ignore_failure": true } }, - { "rename":{ "field": "L", "target_field": "issuer_locality", "ignore_failure": true } }, - { "rename":{ "field": "DC", "target_field": "issuer_distinguised_name", "ignore_failure": true } }, - { "rename":{ "field": "GN", "target_field": "issuer_given_name", "ignore_failure": true } }, - { "rename":{ "field": "pseudonym", "target_field": "issuer_pseudonym", "ignore_failure": true } }, - { "rename":{ "field": "serialNumber", "target_field": "issuer_serial_number", "ignore_failure": true } }, - { "rename":{ "field": "title", "target_field": "issuer_title", "ignore_failure": true } }, - { "rename":{ "field": "initials", "target_field": "issuer_initials", "ignore_failure": true } }, - { - "kv": { - "field": "certificate_subject", - "field_split": ",", - "value_split": "=", - "ignore_missing": true, - "ignore_failure": true, - "include_keys": [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ] - } - }, - { "rename":{ "field": "CN", "target_field": "certificate_common_name", "ignore_failure": true } }, - { "rename":{ "field": "C", "target_field": "certificate_country_code", "ignore_failure": true } }, - { "rename":{ "field": "O", "target_field": "certificate_organization", "ignore_failure": true } }, - { "rename":{ "field": "OU", "target_field": "certificate_organization_unit","ignore_failure": true } }, - { "rename":{ "field": "ST", "target_field": "certificate_state", "ignore_failure": true } }, - { "rename":{ "field": "SN", "target_field": "certificate_surname", "ignore_failure": true } }, - { "rename":{ "field": "L", "target_field": "certificate_locality", "ignore_failure": true } }, - { "rename":{ "field": "GN", "target_field": "certificate_given_name", "ignore_failure": true } }, - { "rename":{ "field": "pseudonym", "target_field": "certificate_pseudonym", "ignore_failure": true } }, - { "rename":{ "field": "serialNumber", "target_field": "certificate_serial_number", "ignore_failure": true } }, - { "rename":{ "field": "title", "target_field": "certificate_title", "ignore_failure": true } }, - { "rename":{ "field": "initials", "target_field": "certificate_initials", "ignore_failure": true } }, - { "script":{ "lang": "painless", "source": "ctx.certificate_common_name_length = ctx.certificate_common_name.length()", "ignore_failure": true } }, - { "script":{ "lang": "painless", "source": "ctx.issuer_common_name_length = ctx.issuer_common_name.length()", "ignore_failure": true } }, - { "script":{ "lang": "painless", "source": "ctx.server_name_length = ctx.server_name.length()", "ignore_failure": true } }, - { - "pipeline": { - "name": "bro_common" - } - } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_conn b/salt/elasticsearch/files/ingest/bro_conn deleted file mode 100644 index 2fe68ec42..000000000 --- a/salt/elasticsearch/files/ingest/bro_conn +++ /dev/null @@ -1,48 +0,0 @@ -{ - "description" : "bro_conn", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, - { "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_bytes", "target_field": "original_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_bytes", "target_field": "respond_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.conn_state", "target_field": "connection_state", "ignore_missing": true } }, - { "rename": { "field": "message2.local_orig", "target_field": "local_orig", "ignore_missing": true } }, - { "rename": { "field": "message2.local_resp", "target_field": "local_respond", "ignore_missing": true } }, - { "rename": { "field": "message2.missed_bytes", "target_field": "missed_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.history", "target_field": "history", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_pkts", "target_field": "original_packets", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_ip_bytes", "target_field": "original_ip_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_pkts", "target_field": "respond_packets", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_ip_bytes", "target_field": "respond_ip_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.tunnel_parents", "target_field": "tunnel_parents", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_cc", "target_field": "original_country_code","ignore_missing": true } }, - { "rename": { "field": "message2.resp_cc", "target_field": "respond_country_code", "ignore_missing": true } }, - { "rename": { "field": "message2.sensorname", "target_field": "sensor_name", "ignore_missing": true } }, - { "script": { "lang": "painless", "source": "ctx.total_bytes = (ctx.original_bytes + ctx.respond_bytes)", "ignore_failure": true } }, - { "set": { "if": "ctx.connection_state == 'S0'", "field": "connection_state_description", "value": "Connection attempt seen, no reply" } }, - { "set": { "if": "ctx.connection_state == 'S1'", "field": "connection_state_description", "value": "Connection established, not terminated" } }, - { "set": { "if": "ctx.connection_state == 'S2'", "field": "connection_state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } }, - { "set": { "if": "ctx.connection_state == 'S3'", "field": "connection_state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } }, - { "set": { "if": "ctx.connection_state == 'SF'", "field": "connection_state_description", "value": "Normal SYN/FIN completion" } }, - { "set": { "if": "ctx.connection_state == 'REJ'", "field": "connection_state_description", "value": "Connection attempt rejected" } }, - { "set": { "if": "ctx.connection_state == 'RSTO'", "field": "connection_state_description", "value": "Connection established, originator aborted (sent a RST)" } }, - { "set": { "if": "ctx.connection_state == 'RSTR'", "field": "connection_state_description", "value": "Established, responder aborted" } }, - { "set": { "if": "ctx.connection_state == 'RSTOS0'","field": "connection_state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } }, - { "set": { "if": "ctx.connection_state == 'RSTRH'", "field": "connection_state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } }, - { "set": { "if": "ctx.connection_state == 'SH'", "field": "connection_state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } }, - { "set": { "if": "ctx.connection_state == 'SHR'", "field": "connection_state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } }, - { "set": { "if": "ctx.connection_state == 'OTH'", "field": "connection_state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_dce_rpc b/salt/elasticsearch/files/ingest/bro_dce_rpc deleted file mode 100644 index 902785b92..000000000 --- a/salt/elasticsearch/files/ingest/bro_dce_rpc +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description" : "bro_dce_rpc", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.rtt", "target_field": "rtt", "ignore_missing": true } }, - { "rename": { "field": "message2.named_pipe", "target_field": "named_pipe", "ignore_missing": true } }, - { "rename": { "field": "message2.endpoint", "target_field": "endpoint", "ignore_missing": true } }, - { "rename": { "field": "message2.operation", "target_field": "operation", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_dhcp b/salt/elasticsearch/files/ingest/bro_dhcp deleted file mode 100644 index 88d4f94c2..000000000 --- a/salt/elasticsearch/files/ingest/bro_dhcp +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description" : "bro_dhcp", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uids", "target_field": "uid", "ignore_missing": true } }, - { "rename": { "field": "message2.mac", "target_field": "mac", "ignore_missing": true } }, - { "rename": { "field": "message2.assigned_ip", "target_field": "assigned_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.lease_time", "target_field": "lease_time", "ignore_missing": true } }, - { "rename": { "field": "message2.trans_id", "target_field": "transaction_id", "ignore_missing": true } }, - { "rename": { "field": "message2.assigned_addr", "target_field": "assigned_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.client_addr", "target_field": "source.ip", "ignore_missing": true } }, - { "rename": { "field": "message2.server_addr", "target_field": "destination.ip", "ignore_missing": true } }, - { "rename": { "field": "message2.requested_addr", "target_field": "requested_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.domain", "target_field": "domain_name", "ignore_missing": true } }, - { "rename": { "field": "message2.host_name", "target_field": "hostname", "ignore_missing": true } }, - { "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } }, - { "rename": { "field": "message2.msg_types", "target_field": "message_types", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_dnp3 b/salt/elasticsearch/files/ingest/bro_dnp3 deleted file mode 100644 index 3797e14fe..000000000 --- a/salt/elasticsearch/files/ingest/bro_dnp3 +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description" : "bro_dnp3", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.fc_request", "target_field": "fc_request", "ignore_missing": true } }, - { "rename": { "field": "message2.fc_reply", "target_field": "fc_reply", "ignore_missing": true } }, - { "rename": { "field": "message2.iin", "target_field": "iin", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_dns b/salt/elasticsearch/files/ingest/bro_dns deleted file mode 100644 index 3857e8e07..000000000 --- a/salt/elasticsearch/files/ingest/bro_dns +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description" : "bro_dns", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.trans_id", "target_field": "transaction_id", "ignore_missing": true } }, - { "rename": { "field": "message2.rtt", "target_field": "rtt", "ignore_missing": true } }, - { "rename": { "field": "message2.query", "target_field": "query", "ignore_missing": true } }, - { "rename": { "field": "message2.qclass", "target_field": "query_class", "ignore_missing": true } }, - { "rename": { "field": "message2.qclass_name", "target_field": "query_class_name", "ignore_missing": true } }, - { "rename": { "field": "message2.qtype", "target_field": "query_type", "ignore_missing": true } }, - { "rename": { "field": "message2.qtype_name", "target_field": "query_type_name", "ignore_missing": true } }, - { "rename": { "field": "message2.rcode", "target_field": "rcode", "ignore_missing": true } }, - { "rename": { "field": "message2.rcode_name", "target_field": "rcode_name", "ignore_missing": true } }, - { "rename": { "field": "message2.AA", "target_field": "aa", "ignore_missing": true } }, - { "rename": { "field": "message2.TC", "target_field": "tc", "ignore_missing": true } }, - { "rename": { "field": "message2.RD", "target_field": "rd", "ignore_missing": true } }, - { "rename": { "field": "message2.RA", "target_field": "ra", "ignore_missing": true } }, - { "rename": { "field": "message2.Z", "target_field": "z", "ignore_missing": true } }, - { "rename": { "field": "message2.answers", "target_field": "answers", "ignore_missing": true } }, - { "rename": { "field": "message2.TTLs", "target_field": "ttls", "ignore_missing": true } }, - { "rename": { "field": "message2.rejected", "target_field": "rejected", "ignore_missing": true } }, - { "script": { "lang": "painless", "source": "ctx.query_length = ctx.query.length()", "ignore_failure": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_dpd b/salt/elasticsearch/files/ingest/bro_dpd deleted file mode 100644 index 963d6cd1d..000000000 --- a/salt/elasticsearch/files/ingest/bro_dpd +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description" : "bro_dpd", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.analyzer", "target_field": "analyzer", "ignore_missing": true } }, - { "rename": { "field": "message2.failure_reason", "target_field": "failure_reason", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_files b/salt/elasticsearch/files/ingest/bro_files deleted file mode 100644 index 5d138557d..000000000 --- a/salt/elasticsearch/files/ingest/bro_files +++ /dev/null @@ -1,32 +0,0 @@ -{ - "description" : "bro_files", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.tx_hosts", "target_field": "file_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, - { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, - { "rename": { "field": "message2.conn_uids", "target_field": "uid", "ignore_missing": true } }, - { "remove": { "field": "source", "ignore_missing": true } }, - { "rename": { "field": "message2.source", "target_field": "file_source", "ignore_missing": true } }, - { "rename": { "field": "message2.depth", "target_field": "depth", "ignore_missing": true } }, - { "rename": { "field": "message2.analyzers", "target_field": "analyzer", "ignore_missing": true } }, - { "rename": { "field": "message2.mime_type", "target_field": "mimetype", "ignore_missing": true } }, - { "rename": { "field": "message2.filename", "target_field": "file_name", "ignore_missing": true } }, - { "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } }, - { "rename": { "field": "message2.local_orig", "target_field": "local_orig", "ignore_missing": true } }, - { "rename": { "field": "message2.is_orig", "target_field": "is_orig", "ignore_missing": true } }, - { "rename": { "field": "message2.seen_bytes", "target_field": "seen_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.total_bytes", "target_field": "total_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.missing_bytes", "target_field": "missing_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.overflow_bytes", "target_field": "overflow_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.timedout", "target_field": "timed_out", "ignore_missing": true } }, - { "rename": { "field": "message2.parent_fuid", "target_field": "parent_fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.md5", "target_field": "md5", "ignore_missing": true } }, - { "rename": { "field": "message2.sha1", "target_field": "sha1", "ignore_missing": true } }, - { "rename": { "field": "message2.extracted", "target_field": "extracted", "ignore_missing": true } }, - { "rename": { "field": "message2.extracted_cutoff", "target_field": "extracted_cutoff", "ignore_missing": true } }, - { "rename": { "field": "message2.extracted_size", "target_field": "extracted_size", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_ftp b/salt/elasticsearch/files/ingest/bro_ftp deleted file mode 100644 index e602f29fb..000000000 --- a/salt/elasticsearch/files/ingest/bro_ftp +++ /dev/null @@ -1,33 +0,0 @@ -{ - "description" : "bro_http", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.user", "target_field": "username", "ignore_missing": true } }, - { "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } }, - { "rename": { "field": "message2.command", "target_field": "ftp_command", "ignore_missing": true } }, - { "rename": { "field": "message2.arg", "target_field": "ftp_argument", "ignore_missing": true } }, - { "rename": { "field": "message2.mime_type", "target_field": "mimetype", "ignore_missing": true } }, - { "rename": { "field": "message2.file_size", "target_field": "file_size", "ignore_missing": true } }, - { "rename": { "field": "message2.reply_code", "target_field": "reply_code", "ignore_missing": true } }, - { "rename": { "field": "message2.reply_msg", "target_field": "reply_message", "ignore_missing": true } }, - { "dot_expander": { "field": "data_channel.passive", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.passive","target_field": "data_channel_passive", "ignore_missing": true } }, - { "dot_expander": { "field": "data_channel.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.orig_h","target_field": "data_channel_source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "data_channel.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.resp_h","target_field": "data_channel_destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "data_channel.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.data_channel.resp_p","target_field": "data_channel_destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_http b/salt/elasticsearch/files/ingest/bro_http deleted file mode 100644 index 3756ca323..000000000 --- a/salt/elasticsearch/files/ingest/bro_http +++ /dev/null @@ -1,42 +0,0 @@ -{ - "description" : "bro_http", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, - { "rename": { "field": "message2.method", "target_field": "method", "ignore_missing": true } }, - { "rename": { "field": "message2.host", "target_field": "virtual_host", "ignore_missing": true } }, - { "rename": { "field": "message2.uri", "target_field": "uri", "ignore_missing": true } }, - { "rename": { "field": "message2.referrer", "target_field": "referrer", "ignore_missing": true } }, - { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, - { "rename": { "field": "message2.user_agent", "target_field": "useragent", "ignore_missing": true } }, - { "rename": { "field": "message2.request_body_len", "target_field": "request_body_length", "ignore_missing": true } }, - { "rename": { "field": "message2.response_body_len","target_field": "response_body_length", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code", "target_field": "status_code", "ignore_missing": true } }, - { "rename": { "field": "message2.status_msg", "target_field": "status_message", "ignore_missing": true } }, - { "rename": { "field": "message2.info_code", "target_field": "info_code", "ignore_missing": true } }, - { "rename": { "field": "message2.info_msg", "target_field": "info_message", "ignore_missing": true } }, - { "remove": { "field": "message2.tags", "ignore_failure": true } }, - { "rename": { "field": "message2.username", "target_field": "user", "ignore_missing": true } }, - { "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } }, - { "rename": { "field": "message2.proxied", "target_field": "proxied", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_fuids", "target_field": "orig_fuids", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_filenames", "target_field": "orig_filenames", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_mime_types", "target_field": "orig_mime_types", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_fuids", "target_field": "resp_fuids", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_filenames", "target_field": "resp_filenames", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_mime_types", "target_field": "resp_mime_types", "ignore_missing": true } }, - { "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } }, - { "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } }, - { "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_intel b/salt/elasticsearch/files/ingest/bro_intel deleted file mode 100644 index 9718bd45e..000000000 --- a/salt/elasticsearch/files/ingest/bro_intel +++ /dev/null @@ -1,29 +0,0 @@ -{ - "description" : "bro_intel", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "dot_expander": { "field": "seen.indicator", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.seen.indicator", "target_field": "indicator", "ignore_missing": true } }, - { "dot_expander": { "field": "seen.indicator_type", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.seen.indicator_type", "target_field": "indicator_type", "ignore_missing": true } }, - { "dot_expander": { "field": "seen.where", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.seen.where", "target_field": "seen_where", "ignore_missing": true } }, - { "dot_expander": { "field": "seen.node", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.seen.node", "target_field": "seen_node", "ignore_missing": true } }, - { "rename": { "field": "message2.matched", "target_field": "matched", "ignore_missing": true } }, - { "rename": { "field": "message2.sources", "target_field": "sources", "ignore_missing": true } }, - { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.file_mime_type", "target_field": "mimetype", "ignore_missing": true } }, - { "rename": { "field": "message2.file_desc", "target_field": "file_description", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_irc b/salt/elasticsearch/files/ingest/bro_irc deleted file mode 100644 index 079c410ee..000000000 --- a/salt/elasticsearch/files/ingest/bro_irc +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description" : "bro_irc", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.nick", "target_field": "nick", "ignore_missing": true } }, - { "rename": { "field": "message2.user", "target_field": "irc_username", "ignore_missing": true } }, - { "rename": { "field": "message2.command", "target_field": "irc_command", "ignore_missing": true } }, - { "rename": { "field": "message2.value", "target_field": "value", "ignore_missing": true } }, - { "rename": { "field": "message2.addl", "target_field": "additional_info", "ignore_missing": true } }, - { "rename": { "field": "message2.dcc_file_name", "target_field": "dcc_file_name", "ignore_missing": true } }, - { "rename": { "field": "message2.dcc_file_size", "target_field": "dcc_file_size", "ignore_missing": true } }, - { "rename": { "field": "message2.dcc_mime_type", "target_field": "dcc_mime_type", "ignore_missing": true } }, - { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_kerberos b/salt/elasticsearch/files/ingest/bro_kerberos deleted file mode 100644 index 83c93476d..000000000 --- a/salt/elasticsearch/files/ingest/bro_kerberos +++ /dev/null @@ -1,30 +0,0 @@ -{ - "description" : "bro_kerberos", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.request_type", "target_field": "request_type", "ignore_missing": true } }, - { "rename": { "field": "message2.client", "target_field": "client", "ignore_missing": true } }, - { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, - { "rename": { "field": "message2.success", "target_field": "kerberos_success", "ignore_missing": true } }, - { "rename": { "field": "message2.error_msg", "target_field": "error_message", "ignore_missing": true } }, - { "rename": { "field": "message2.from", "target_field": "valid_from", "ignore_missing": true } }, - { "rename": { "field": "message2.till", "target_field": "valid_till", "ignore_missing": true } }, - { "rename": { "field": "message2.cipher", "target_field": "cipher", "ignore_missing": true } }, - { "rename": { "field": "message2.forwardable", "target_field": "forwardable", "ignore_missing": true } }, - { "rename": { "field": "message2.renewable", "target_field": "renewable", "ignore_missing": true } }, - { "rename": { "field": "message2.client_cert_subject", "target_field": "client_certificate_subject", "ignore_missing": true } }, - { "rename": { "field": "message2.client_cert_fuid", "target_field": "client_certificate_fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.server_cert_subject", "target_field": "server_certificate_subject", "ignore_missing": true } }, - { "rename": { "field": "message2.server_cert_fuid", "target_field": "server_certificate_fuid", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_modbus b/salt/elasticsearch/files/ingest/bro_modbus deleted file mode 100644 index 3c3b17c45..000000000 --- a/salt/elasticsearch/files/ingest/bro_modbus +++ /dev/null @@ -1,18 +0,0 @@ -{ - "description" : "bro_modbus", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.func", "target_field": "function", "ignore_missing": true } }, - { "rename": { "field": "message2.exception", "target_field": "exception", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_mysql b/salt/elasticsearch/files/ingest/bro_mysql deleted file mode 100644 index 676213b06..000000000 --- a/salt/elasticsearch/files/ingest/bro_mysql +++ /dev/null @@ -1,21 +0,0 @@ -{ - "description" : "bro_mysql", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.cmd", "target_field": "mysql_command", "ignore_missing": true } }, - { "rename": { "field": "message2.arg", "target_field": "mysql_argument", "ignore_missing": true } }, - { "rename": { "field": "message2.success", "target_field": "mysql_success", "ignore_missing": true } }, - { "rename": { "field": "message2.rows", "target_field": "rows", "ignore_missing": true } }, - { "rename": { "field": "message2.response", "target_field": "response", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_notice b/salt/elasticsearch/files/ingest/bro_notice deleted file mode 100644 index 4ba1b7d88..000000000 --- a/salt/elasticsearch/files/ingest/bro_notice +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description" : "bro_notice", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "remove": { "field": "message2.dst", "ignore_failure": true } }, - { "remove": { "field": "message2.src", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.mime", "target_field": "file_mime_type", "ignore_missing": true } }, - { "rename": { "field": "message2.desc", "target_field": "file_description", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, - { "rename": { "field": "message2.msg", "target_field": "msg", "ignore_missing": true } }, - { "rename": { "field": "message2.sub", "target_field": "sub_msg", "ignore_missing": true } }, - { "rename": { "field": "message2.p", "target_field": "p", "ignore_missing": true } }, - { "rename": { "field": "message2.n", "target_field": "n", "ignore_missing": true } }, - { "rename": { "field": "message2.peer_descr", "target_field": "peer_description", "ignore_missing": true } }, - { "rename": { "field": "message2.actions", "target_field": "action", "ignore_missing": true } }, - { "rename": { "field": "message2.suppress_for", "target_field": "suppress_for", "ignore_missing": true } }, - { "rename": { "field": "message2.dropped", "target_field": "dropped", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_country_code", "target_field": "destination_country_code", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_region", "target_field": "destination_region", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_city", "target_field": "destination_city", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_latitude", "target_field": "destination_latitude", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_longitude", "target_field": "destination_longitude", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_ntlm b/salt/elasticsearch/files/ingest/bro_ntlm deleted file mode 100644 index 0921a5dbc..000000000 --- a/salt/elasticsearch/files/ingest/bro_ntlm +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description" : "bro_ntlm", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.hostname", "target_field": "hostname", "ignore_missing": true } }, - { "rename": { "field": "message2.domainname", "target_field": "domain_name", "ignore_missing": true } }, - { "rename": { "field": "message2.success", "target_field": "ntlm_success", "ignore_missing": true } }, - { "rename": { "field": "message2.status", "target_field": "status", "ignore_missing": true } }, - { "rename": { "field": "message2.username", "target_field": "username", "ignore_missing": true } }, - { "rename": { "field": "message2.server_dns_computer_name", "target_field": "server_dns_computer_name", "ignore_missing": true } }, - { "rename": { "field": "message2.server_nb_computer_name", "target_field": "server_nb_computer_name", "ignore_missing": true } }, - { "rename": { "field": "message2.server_tree_name", "target_field": "server_tree_name", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_pe b/salt/elasticsearch/files/ingest/bro_pe deleted file mode 100644 index 2597d3e26..000000000 --- a/salt/elasticsearch/files/ingest/bro_pe +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description" : "bro_pe", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id", "target_field": "fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.machine", "target_field": "machine", "ignore_missing": true } }, - { "rename": { "field": "message2.compile_ts", "target_field": "compile_ts", "ignore_missing": true } }, - { "rename": { "field": "message2.os", "target_field": "os", "ignore_missing": true } }, - { "rename": { "field": "message2.subsystem", "target_field": "subsystem", "ignore_missing": true } }, - { "rename": { "field": "message2.is_exe", "target_field": "is_exe", "ignore_missing": true } }, - { "rename": { "field": "message2.is_64bit", "target_field": "is_64bit", "ignore_missing": true } }, - { "rename": { "field": "message2.uses_aslr", "target_field": "uses_aslr", "ignore_missing": true } }, - { "rename": { "field": "message2.uses_dep", "target_field": "uses_dep", "ignore_missing": true } }, - { "rename": { "field": "message2.uses_code_integrity","target_field": "uses_code_integrity","ignore_missing": true } }, - { "rename": { "field": "message2.uses_seh", "target_field": "uses_seh", "ignore_missing": true } }, - { "rename": { "field": "message2.has_import_table", "target_field": "has_import_table", "ignore_missing": true } }, - { "rename": { "field": "message2.has_export_table", "target_field": "has_export_table", "ignore_missing": true } }, - { "rename": { "field": "message2.has_cert_table", "target_field": "has_cert_table", "ignore_missing": true } }, - { "rename": { "field": "message2.has_debug_data", "target_field": "has_debug_data", "ignore_missing": true } }, - { "rename": { "field": "message2.section_names", "target_field": "section_names", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_radius b/salt/elasticsearch/files/ingest/bro_radius deleted file mode 100644 index 35fede6b7..000000000 --- a/salt/elasticsearch/files/ingest/bro_radius +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description" : "bro_radius", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.username", "target_field": "username", "ignore_missing": true } }, - { "rename": { "field": "message2.mac", "target_field": "mac", "ignore_missing": true } }, - { "rename": { "field": "message2.framed_addr", "target_field": "framed_addr", "ignore_missing": true } }, - { "rename": { "field": "message2.remote_ip", "target_field": "remote_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.connect_info", "target_field": "connect_info", "ignore_missing": true } }, - { "rename": { "field": "message2.reply_msg", "target_field": "reply_message", "ignore_missing": true } }, - { "rename": { "field": "message2.result", "target_field": "result", "ignore_missing": true } }, - { "remove": { "field": "message2.ttl", "ignore_failure": true } }, - { "rename": { "field": "message2.logged", "target_field": "logged", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_rdp b/salt/elasticsearch/files/ingest/bro_rdp deleted file mode 100644 index 49849a8c6..000000000 --- a/salt/elasticsearch/files/ingest/bro_rdp +++ /dev/null @@ -1,31 +0,0 @@ -{ - "description" : "bro_rdp", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.cookie", "target_field": "cookie", "ignore_missing": true } }, - { "rename": { "field": "message2.result", "target_field": "result", "ignore_missing": true } }, - { "rename": { "field": "message2.security_protocol","target_field": "security_protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.keyboard_layout", "target_field": "keyboard_layout", "ignore_missing": true } }, - { "rename": { "field": "message2.client_build", "target_field": "client_build", "ignore_missing": true } }, - { "rename": { "field": "message2.client_name", "target_field": "client_name", "ignore_missing": true } }, - { "rename": { "field": "message2.client_dig_product_id", "target_field": "client_digital_product_id", "ignore_missing": true } }, - { "rename": { "field": "message2.desktop_width", "target_field": "desktop_width", "ignore_missing": true } }, - { "rename": { "field": "message2.desktop_height", "target_field": "desktop_height", "ignore_missing": true } }, - { "rename": { "field": "message2.requested_color_depth", "target_field": "requested_color_depth", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_type", "target_field": "certificate_type", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_count", "target_field": "certificate_count", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_permanent", "target_field": "certificate_permanent","ignore_missing": true } }, - { "rename": { "field": "message2.encryption_level", "target_field": "encryption_level", "ignore_missing": true } }, - { "rename": { "field": "message2.encryption_method","target_field": "encryption_method", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_rfb b/salt/elasticsearch/files/ingest/bro_rfb deleted file mode 100644 index 0e6cb4eb2..000000000 --- a/salt/elasticsearch/files/ingest/bro_rfb +++ /dev/null @@ -1,26 +0,0 @@ -{ - "description" : "bro_rfb", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.client_major_version", "target_field": "client_major_version", "ignore_missing": true } }, - { "rename": { "field": "message2.client_minor_version", "target_field": "client_minor_version", "ignore_missing": true } }, - { "rename": { "field": "message2.server_major_version", "target_field": "server_major_version", "ignore_missing": true } }, - { "rename": { "field": "message2.server_minor_version", "target_field": "server_minor_version", "ignore_missing": true } }, - { "rename": { "field": "message2.authentication_method", "target_field": "authentication_method","ignore_missing": true } }, - { "rename": { "field": "message2.auth", "target_field": "auth", "ignore_missing": true } }, - { "rename": { "field": "message2.share_flag", "target_field": "share_flag", "ignore_missing": true } }, - { "rename": { "field": "message2.desktop_name", "target_field": "desktop_name", "ignore_missing": true } }, - { "rename": { "field": "message2.width", "target_field": "width", "ignore_missing": true } }, - { "rename": { "field": "message2.height", "target_field": "height", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_signatures b/salt/elasticsearch/files/ingest/bro_signatures deleted file mode 100644 index 9187c94a2..000000000 --- a/salt/elasticsearch/files/ingest/bro_signatures +++ /dev/null @@ -1,22 +0,0 @@ -{ - "description" : "bro_signatures", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } }, - { "rename": { "field": "message2.sig_id", "target_field": "signature_id", "ignore_missing": true } }, - { "rename": { "field": "message2.event_msg", "target_field": "event_message", "ignore_missing": true } }, - { "rename": { "field": "message2.sub_msg", "target_field": "sub_message", "ignore_missing": true } }, - { "rename": { "field": "message2.sig_count", "target_field": "signature_count", "ignore_missing": true } }, - { "rename": { "field": "message2.host_count", "target_field": "host_count", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_sip b/salt/elasticsearch/files/ingest/bro_sip deleted file mode 100644 index 0d55ca5a0..000000000 --- a/salt/elasticsearch/files/ingest/bro_sip +++ /dev/null @@ -1,37 +0,0 @@ -{ - "description" : "bro_sip", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, - { "rename": { "field": "message2.method", "target_field": "method", "ignore_missing": true } }, - { "rename": { "field": "message2.uri", "target_field": "uri", "ignore_missing": true } }, - { "rename": { "field": "message2.date", "target_field": "date", "ignore_missing": true } }, - { "rename": { "field": "message2.request_from", "target_field": "request_from", "ignore_missing": true } }, - { "rename": { "field": "message2.request_to", "target_field": "request_to", "ignore_missing": true } }, - { "rename": { "field": "message2.response_from", "target_field": "response_from", "ignore_missing": true } }, - { "rename": { "field": "message2.response_to", "target_field": "response_to", "ignore_missing": true } }, - { "rename": { "field": "message2.reply_to", "target_field": "reply_to", "ignore_missing": true } }, - { "rename": { "field": "message2.call_id", "target_field": "call_id", "ignore_missing": true } }, - { "rename": { "field": "message2.seq", "target_field": "seq", "ignore_missing": true } }, - { "rename": { "field": "message2.subject", "target_field": "subject", "ignore_missing": true } }, - { "rename": { "field": "message2.request_path", "target_field": "request_path", "ignore_missing": true } }, - { "rename": { "field": "message2.response_path", "target_field": "response_path", "ignore_missing": true } }, - { "rename": { "field": "message2.user_agent", "target_field": "user_agent", "ignore_missing": true } }, - { "rename": { "field": "message2.status_code", "target_field": "status_code", "ignore_missing": true } }, - { "rename": { "field": "message2.status_msg", "target_field": "status_msg", "ignore_missing": true } }, - { "rename": { "field": "message2.warning", "target_field": "warning", "ignore_missing": true } }, - { "rename": { "field": "message2.request_body_len", "target_field": "request_body_length", "ignore_missing": true } }, - { "rename": { "field": "message2.response_body_len","target_field": "response_body_length", "ignore_missing": true } }, - { "rename": { "field": "message2.content_type", "target_field": "content_type", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_smb_files b/salt/elasticsearch/files/ingest/bro_smb_files deleted file mode 100644 index 2e552234a..000000000 --- a/salt/elasticsearch/files/ingest/bro_smb_files +++ /dev/null @@ -1,31 +0,0 @@ -{ - "description" : "bro_smb_files", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } }, - { "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } }, - { "remove": { "field": "path", "ignore_failure": true } }, - { "rename": { "field": "message2.path", "target_field": "path", "ignore_missing": true } }, - { "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } }, - { "rename": { "field": "message2.size", "target_field": "size", "ignore_missing": true } }, - { "rename": { "field": "message2.prev_name", "target_field": "prev_name", "ignore_missing": true } }, - { "dot_expander": { "field": "times.modified", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.times.modified", "target_field": "times_modified", "ignore_missing": true } }, - { "dot_expander": { "field": "times.accessed", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.times.accessed", "target_field": "times_accessed", "ignore_missing": true } }, - { "dot_expander": { "field": "times.created", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.times.created", "target_field": "times_created", "ignore_missing": true } }, - { "dot_expander": { "field": "times.changed", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.times.changed", "target_field": "times_changed", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_smb_mapping b/salt/elasticsearch/files/ingest/bro_smb_mapping deleted file mode 100644 index 220a10e2b..000000000 --- a/salt/elasticsearch/files/ingest/bro_smb_mapping +++ /dev/null @@ -1,21 +0,0 @@ -{ - "description" : "bro_smb_files", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "remove": { "field": "path", "ignore_failure": true } }, - { "rename": { "field": "message2.path", "target_field": "path", "ignore_missing": true } }, - { "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } }, - { "rename": { "field": "message2.native_file_system", "target_field": "native_file_system", "ignore_missing": true } }, - { "rename": { "field": "message2.share_type", "target_field": "share_type", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_smtp b/salt/elasticsearch/files/ingest/bro_smtp deleted file mode 100644 index d5e9a6d6f..000000000 --- a/salt/elasticsearch/files/ingest/bro_smtp +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description" : "bro_smtp", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "remove": { "field": "path", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } }, - { "rename": { "field": "message2.helo", "target_field": "helo", "ignore_missing": true } }, - { "rename": { "field": "message2.mailfrom", "target_field": "mail_from", "ignore_missing": true } }, - { "rename": { "field": "message2.rcptto", "target_field": "recipient_to", "ignore_missing": true } }, - { "rename": { "field": "message2.date", "target_field": "mail_date", "ignore_missing": true } }, - { "rename": { "field": "message2.from", "target_field": "from", "ignore_missing": true } }, - { "rename": { "field": "message2.to", "target_field": "to", "ignore_missing": true } }, - { "rename": { "field": "message2.cc", "target_field": "cc", "ignore_missing": true } }, - { "rename": { "field": "message2.reply_to", "target_field": "reply_to", "ignore_missing": true } }, - { "rename": { "field": "message2.msg_id", "target_field": "message_id", "ignore_missing": true } }, - { "rename": { "field": "message2.in_reply_to", "target_field": "in_reply_to", "ignore_missing": true } }, - { "rename": { "field": "message2.subject", "target_field": "subject", "ignore_missing": true } }, - { "rename": { "field": "message2.x_originating_ip", "target_field": "x_originating_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.first_received", "target_field": "first_received", "ignore_missing": true } }, - { "rename": { "field": "message2.second_received", "target_field": "second_received", "ignore_missing": true } }, - { "rename": { "field": "message2.last_reply", "target_field": "last_reply", "ignore_missing": true } }, - { "rename": { "field": "message2.path", "target_field": "path", "ignore_missing": true } }, - { "rename": { "field": "message2.user_agent", "target_field": "useragent", "ignore_missing": true } }, - { "rename": { "field": "message2.tls", "target_field": "tls", "ignore_missing": true } }, - { "rename": { "field": "message2.fuids", "target_field": "fuids", "ignore_missing": true } }, - { "rename": { "field": "message2.is_webmail", "target_field": "is_webmail", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_snmp b/salt/elasticsearch/files/ingest/bro_snmp deleted file mode 100644 index 31eb9514d..000000000 --- a/salt/elasticsearch/files/ingest/bro_snmp +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description" : "bro_snmp", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } }, - { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, - { "rename": { "field": "message2.community", "target_field": "community", "ignore_missing": true } }, - { "rename": { "field": "message2.get_requests", "target_field": "get_requests", "ignore_missing": true } }, - { "rename": { "field": "message2.get_bulk_requests","target_field": "get_bulk_requests", "ignore_missing": true } }, - { "rename": { "field": "message2.get_responses", "target_field": "get_responses", "ignore_missing": true } }, - { "rename": { "field": "message2.set_requests", "target_field": "set_requests", "ignore_missing": true } }, - { "rename": { "field": "message2.display_string", "target_field": "display_string", "ignore_missing": true } }, - { "rename": { "field": "message2.up_since", "target_field": "up_since", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_socks b/salt/elasticsearch/files/ingest/bro_socks deleted file mode 100644 index 421168baf..000000000 --- a/salt/elasticsearch/files/ingest/bro_socks +++ /dev/null @@ -1,28 +0,0 @@ -{ - "description" : "bro_socks", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, - { "rename": { "field": "message2.user", "target_field": "user", "ignore_missing": true } }, - { "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } }, - { "rename": { "field": "message2.status", "target_field": "status", "ignore_missing": true } }, - { "rename": { "field": "message2.request_host", "target_field": "request_host", "ignore_missing": true } }, - { "dot_expander": { "field": "request.name", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.request.name", "target_field": "request_name", "ignore_missing": true } }, - { "rename": { "field": "message2.request_p", "target_field": "request_port", "ignore_missing": true } }, - { "dot_expander": { "field": "bound.host", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.bound.host", "target_field": "bound_host", "ignore_missing": true } }, - { "rename": { "field": "message2.bound_name", "target_field": "bound_name", "ignore_missing": true } }, - { "rename": { "field": "message2.bound_p", "target_field": "bound_port", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_software b/salt/elasticsearch/files/ingest/bro_software deleted file mode 100644 index c3cfc711b..000000000 --- a/salt/elasticsearch/files/ingest/bro_software +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description" : "bro_software", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "version.major", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.version.major", "target_field": "version_major", "ignore_missing": true } }, - { "dot_expander": { "field": "version.minor", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.version.minor", "target_field": "version_minor", "ignore_missing": true } }, - { "dot_expander": { "field": "version.minor2", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.version.minor2", "target_field": "version_minor2", "ignore_missing": true } }, - { "dot_expander": { "field": "version.minor3", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.version.minor3", "target_field": "version_minor3", "ignore_missing": true } }, - { "dot_expander": { "field": "version.addl", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.version.addl", "target_field": "version_additional_info", "ignore_missing": true } }, - { "rename": { "field": "message2.host", "target_field": "source.ip", "ignore_missing": true } }, - { "rename": { "field": "message2.host_p", "target_field": "source.port", "ignore_missing": true } }, - { "rename": { "field": "message2.software_type", "target_field": "software_type", "ignore_missing": true } }, - { "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } }, - { "rename": { "field": "message2.unparsed_version", "target_field": "unparsed_version", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_ssh b/salt/elasticsearch/files/ingest/bro_ssh deleted file mode 100644 index 583e5e1bb..000000000 --- a/salt/elasticsearch/files/ingest/bro_ssh +++ /dev/null @@ -1,40 +0,0 @@ -{ - "description" : "bro_conn", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "rename": { "field": "message2.hassh", "target_field": "hassh", "ignore_missing": true } }, - { "rename": { "field": "message2.auth_success", "target_field": "authentication_success", "ignore_missing": true } }, - { "rename": { "field": "message2.auth_attempts", "target_field": "authentication_attempts", "ignore_missing": true } }, - { "rename": { "field": "message2.direction", "target_field": "direction", "ignore_missing": true } }, - { "rename": { "field": "message2.client", "target_field": "client", "ignore_missing": true } }, - { "rename": { "field": "message2.server", "target_field": "server", "ignore_missing": true } }, - { "rename": { "field": "message2.cipher_alg", "target_field": "cipher_algorithm", "ignore_missing": true } }, - { "rename": { "field": "message2.compression_alg", "target_field": "compression_algorithm", "ignore_missing": true } }, - { "rename": { "field": "message2.cshka", "target_field": "client_host_key_algorithms", "ignore_missing": true } }, - { "rename": { "field": "message2.host_key_alg", "target_field": "host_key_algorithm", "ignore_missing": true } }, - { "rename": { "field": "message2.hasshAlgorithms", "target_field": "hassh_algorithms", "ignore_missing": true } }, - { "rename": { "field": "message2.hasshServer", "target_field": "hassh_server", "ignore_missing": true } }, - { "rename": { "field": "message2.hasshVersion", "target_field": "hassh_version", "ignore_missing": true } }, - { "rename": { "field": "message2.kex_alg", "target_field": "kex_algorithm", "ignore_missing": true } }, - { "rename": { "field": "message2.mac_alg", "target_field": "mac_algorithm", "ignore_missing": true } }, - { "rename": { "field": "message2.sshka", "target_field": "server_host_key_algorithms", "ignore_missing": true } }, - { "rename": { "field": "message2.host_key", "target_field": "host_key", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_region", "target_field": "destination_region", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_city", "target_field": "destination_city", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_latitude", "target_field": "destination_latitude", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_longitude", "target_field": "destination_longitude", "ignore_missing": true } }, - { "rename": { "field": "message2.destination_country_code", "target_field": "destination_country_code", "ignore_missing": true } }, - { "rename": { "field": "message2.hasshServerAlgorithms", "target_field": "hassh_server_algorithms", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_ssl b/salt/elasticsearch/files/ingest/bro_ssl deleted file mode 100644 index 83298b323..000000000 --- a/salt/elasticsearch/files/ingest/bro_ssl +++ /dev/null @@ -1,33 +0,0 @@ -{ - "description" : "bro_ssl", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } }, - { "rename": { "field": "message2.cipher", "target_field": "cipher", "ignore_missing": true } }, - { "rename": { "field": "message2.curve", "target_field": "curve", "ignore_missing": true } }, - { "rename": { "field": "message2.server_name", "target_field": "server_name", "ignore_missing": true } }, - { "rename": { "field": "message2.resumed", "target_field": "resumed", "ignore_missing": true } }, - { "rename": { "field": "message2.last_alert", "target_field": "last_alert", "ignore_missing": true } }, - { "rename": { "field": "message2.next_protocol", "target_field": "next_protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.established", "target_field": "established", "ignore_missing": true } }, - { "rename": { "field": "message2.cert_chain_fuids", "target_field": "certificate_chain_fuids", "ignore_missing": true } }, - { "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "client_certificate_chain_fuids", "ignore_missing": true } }, - { "rename": { "field": "message2.subject", "target_field": "certificate_subject", "ignore_missing": true } }, - { "rename": { "field": "message2.issuer", "target_field": "certificate_issuer", "ignore_missing": true } }, - { "rename": { "field": "message2.client_subject", "target_field": "client_subject", "ignore_missing": true } }, - { "rename": { "field": "message2.client_issuer", "target_field": "client_issuer", "ignore_missing": true } }, - { "rename": { "field": "message2.validation_status","target_field": "validation_status", "ignore_missing": true } }, - { "rename": { "field": "message2.ja3", "target_field": "ja3", "ignore_missing": true } }, - { "rename": { "field": "message2.ja3s", "target_field": "ja3s", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common_ssl" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_syslog b/salt/elasticsearch/files/ingest/bro_syslog deleted file mode 100644 index 84d1bcdf2..000000000 --- a/salt/elasticsearch/files/ingest/bro_syslog +++ /dev/null @@ -1,21 +0,0 @@ -{ - "description" : "bro_syslog", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.facility", "target_field": "facility", "ignore_missing": true } }, - { "rename": { "field": "message2.severity", "target_field": "severity", "ignore_missing": true } }, - { "remove": { "field": "message", "ignore_failure": true } }, - { "rename": { "field": "message2.message", "target_field": "message", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_tunnel b/salt/elasticsearch/files/ingest/bro_tunnel deleted file mode 100644 index 21fa06deb..000000000 --- a/salt/elasticsearch/files/ingest/bro_tunnel +++ /dev/null @@ -1,7 +0,0 @@ -{ - "description" : "bro_tunnel", - "processors" : [ - { "set": { "field": "event_type", "value": "bro_tunnels" } }, - { "pipeline": { "name": "bro_tunnels" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_tunnels b/salt/elasticsearch/files/ingest/bro_tunnels deleted file mode 100644 index daec8fba7..000000000 --- a/salt/elasticsearch/files/ingest/bro_tunnels +++ /dev/null @@ -1,18 +0,0 @@ -{ - "description" : "bro_tunnels", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.tunnel_type", "target_field": "tunnel_type", "ignore_missing": true } }, - { "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_weird b/salt/elasticsearch/files/ingest/bro_weird deleted file mode 100644 index 1bf155514..000000000 --- a/salt/elasticsearch/files/ingest/bro_weird +++ /dev/null @@ -1,20 +0,0 @@ -{ - "description" : "bro_weird", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } }, - { "rename": { "field": "message2.addl", "target_field": "additional_info", "ignore_missing": true } }, - { "rename": { "field": "message2.notice", "target_field": "notice", "ignore_missing": true } }, - { "rename": { "field": "message2.peer", "target_field": "peer", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common" } } - ] -} diff --git a/salt/elasticsearch/files/ingest/bro_x509 b/salt/elasticsearch/files/ingest/bro_x509 deleted file mode 100644 index 56e905347..000000000 --- a/salt/elasticsearch/files/ingest/bro_x509 +++ /dev/null @@ -1,44 +0,0 @@ -{ - "description" : "bro_x509", - "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id", "target_field": "id", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.version", "target_field": "certificate_version", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.serial", "target_field": "certificate_serial", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.subject", "target_field": "certificate_subject", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.issuer", "target_field": "certificate_issuer", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.not_valid_before", "target_field": "certificate_not_valid_before", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.not_valid_after", "target_field": "certificate_not_valid_after", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.key_alg", "target_field": "certificate_key_algorithm", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.sig_alg", "target_field": "certificate_signing_algorithm", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.key_type", "target_field": "certificate_key_type", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.key_length", "target_field": "certificate_key_length", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.exponent", "target_field": "certificate_exponent", "ignore_missing": true } }, - { "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.certificate.curve", "target_field": "certificate_curve", "ignore_missing": true } }, - { "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.san.dns", "target_field": "san_dns", "ignore_missing": true } }, - { "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.san.uri", "target_field": "san_uri", "ignore_missing": true } }, - { "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.san.email", "target_field": "san_email", "ignore_missing": true } }, - { "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.san.ip", "target_field": "san_ip", "ignore_missing": true } }, - { "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.basic_constraints.ca", "target_field": "basic_constraints_ca", "ignore_missing": true } }, - { "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.basic_constraints.path_length", "target_field": "basic_constraints_path_length", "ignore_missing": true } }, - { "pipeline": { "name": "bro_common_ssl" } } - ] -}