From 5fe025318bf21866de33144bbac2bfa7d0b9ae6d Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 15 Mar 2021 15:53:00 -0400 Subject: [PATCH 1/3] Update Sigmac mappings and config for IPs and ports --- .../templates/so/so-common-template.json | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 012c590d0..5e05896c3 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -51,7 +51,14 @@ "match_mapping_type": "string", "path_match": "*.ip", "mapping": { - "type": "ip" + "type": "ip", + "fields" : { + "keyword" : { + "ignore_above" : 45, + "type" : "keyword" + } + } + } } }, @@ -60,7 +67,14 @@ "match_mapping_type": "string", "path_match": "*.port", "mapping": { - "type": "integer" + "type": "integer", + "fields" : { + "keyword" : { + "ignore_above" : 10, + "type" : "keyword" + } + } + } } }, From 44c75122edded7357ae11e36d76159be418baed9 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 16 Mar 2021 09:05:35 -0400 Subject: [PATCH 2/3] Update Sigmac mappings and config for IPs and ports --- salt/elasticsearch/files/ingest/common | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/common b/salt/elasticsearch/files/ingest/common index 63eb6077a..e8e462053 100644 --- a/salt/elasticsearch/files/ingest/common +++ b/salt/elasticsearch/files/ingest/common @@ -32,8 +32,6 @@ { "rename": { "field": "category", "target_field": "event.category", "ignore_failure": true, "ignore_missing": true } }, { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_failure": true, "ignore_missing": true } }, { "lowercase": { "field": "event.dataset", "ignore_failure": true, "ignore_missing": true } }, - { "convert": { "field": "destination.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, - { "convert": { "field": "source.port", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, From 71ae5b60eac6649890a5e33e1c709379e6ef8a43 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 16 Mar 2021 09:32:40 -0400 Subject: [PATCH 3/3] Update Sigmac mappings and config for IPs and ports --- salt/elasticsearch/templates/so/so-common-template.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index 5e05896c3..ebf123fed 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -64,13 +64,12 @@ }, { "port": { - "match_mapping_type": "string", "path_match": "*.port", "mapping": { "type": "integer", "fields" : { "keyword" : { - "ignore_above" : 10, + "ignore_above" : 6, "type" : "keyword" } }