mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
Merge pull request #12160 from Security-Onion-Solutions/feature/additional_integrations_3
Additional Supported Integrations #3
This commit is contained in:
weslambert
GitHub
@@ -40,6 +40,9 @@ elasticfleet:
|
||||
- checkpoint
|
||||
- cisco_asa
|
||||
- cisco_duo
|
||||
- cisco_ftd
|
||||
- cisco_ios
|
||||
- cisco_ise
|
||||
- cisco_meraki
|
||||
- cisco_umbrella
|
||||
- cloudflare
|
||||
@@ -59,6 +62,7 @@ elasticfleet:
|
||||
- google_workspace
|
||||
- http_endpoint
|
||||
- httpjson
|
||||
- iis
|
||||
- juniper
|
||||
- juniper_srx
|
||||
- kafka_log
|
||||
@@ -67,13 +71,16 @@ elasticfleet:
|
||||
- m365_defender
|
||||
- microsoft_defender_endpoint
|
||||
- microsoft_dhcp
|
||||
- microsoft_sqlserver
|
||||
- mimecast
|
||||
- mysql
|
||||
- netflow
|
||||
- o365
|
||||
- okta
|
||||
- osquery_manager
|
||||
- panw
|
||||
- pfsense
|
||||
- proofpoint_tap
|
||||
- pulse_connect_secure
|
||||
- redis
|
||||
- sentinel_one
|
||||
|
||||
@@ -2273,6 +2273,138 @@ elasticsearch:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-cisco_ftd_x_log:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-cisco_ftd.log-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-cisco_ftd.log-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-cisco_ftd.log@package"
|
||||
- "logs-cisco_ftd.log@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-cisco_ios_x_log:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-cisco_ios.log-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-cisco_ios.log-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-cisco_ios.log@package"
|
||||
- "logs-cisco_ios.log@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-cisco_ise_x_log:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-cisco_ise.log-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-cisco_ise.log-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-cisco_ise.log@package"
|
||||
- "logs-cisco_ise.log@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-cisco_meraki_x_events:
|
||||
index_sorting: false
|
||||
index_template:
|
||||
@@ -5295,6 +5427,94 @@ elasticsearch:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-iis_x_access:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-iis.access-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-iis.access-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-iis.access@package"
|
||||
- "logs-iis.access@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-iis_x_error:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-iis.error-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-iis.error-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-iis.error@package"
|
||||
- "logs-iis.error@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-juniper_srx_x_log:
|
||||
index_sorting: false
|
||||
index_template:
|
||||
@@ -5867,6 +6087,182 @@ elasticsearch:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-microsoft_sqlserver_x_audit:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-microsoft_sqlserver.audit-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-microsoft_sqlserver.audit-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-microsoft_sqlserver.audit@package"
|
||||
- "logs-microsoft_sqlserver.audit@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-microsoft_sqlserver_x_log:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-microsoft_sqlserver.log-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-microsoft_sqlserver.log-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-microsoft_sqlserver.log@package"
|
||||
- "logs-microsoft_sqlserver.log@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-mysql_x_error:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-mysql.error-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-mysql.error-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-mysql.error@package"
|
||||
- "logs-mysql.error@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-mysql_x_slowlog:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-mysql.slowlog-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-mysql.slowlog-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-mysql.slowlog@package"
|
||||
- "logs-mysql.slowlog@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-mimecast_x_audit_events:
|
||||
index_sorting: false
|
||||
index_template:
|
||||
@@ -6473,6 +6869,182 @@ elasticsearch:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-proofpoint_tap_x_clicks_blocked:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-proofpoint_tap.clicks_blocked-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-proofpoint_tap.clicks_blocked-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-proofpoint_tap.clicks_blocked@package"
|
||||
- "logs-proofpoint_tap.clicks_blocked@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-proofpoint_tap_x_clicks_permitted:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-proofpoint_tap.clicks_permitted-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-proofpoint_tap.clicks_permitted-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-proofpoint_tap.clicks_permitted@package"
|
||||
- "logs-proofpoint_tap.clicks_permitted@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-proofpoint_tap_x_message_blocked:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-proofpoint_tap.message_blocked-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-proofpoint_tap.message_blocked-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-proofpoint_tap.message_blocked@package"
|
||||
- "logs-proofpoint_tap.message_blocked@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-proofpoint_tap_x_message_delivered:
|
||||
index_sorting: False
|
||||
index_template:
|
||||
index_patterns:
|
||||
- "logs-proofpoint_tap.message_delivered-*"
|
||||
template:
|
||||
settings:
|
||||
index:
|
||||
lifecycle:
|
||||
name: so-logs-proofpoint_tap.message_delivered-logs
|
||||
number_of_replicas: 0
|
||||
composed_of:
|
||||
- "logs-proofpoint_tap.message_delivered@package"
|
||||
- "logs-proofpoint_tap.message_delivered@custom"
|
||||
- "so-fleet_globals-1"
|
||||
- "so-fleet_agent_id_verification-1"
|
||||
priority: 501
|
||||
data_stream:
|
||||
hidden: false
|
||||
allow_custom_routing: false
|
||||
policy:
|
||||
phases:
|
||||
cold:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 0
|
||||
min_age: 30d
|
||||
delete:
|
||||
actions:
|
||||
delete: {}
|
||||
min_age: 365d
|
||||
hot:
|
||||
actions:
|
||||
rollover:
|
||||
max_age: 30d
|
||||
max_primary_shard_size: 50gb
|
||||
set_priority:
|
||||
priority: 100
|
||||
min_age: 0ms
|
||||
warm:
|
||||
actions:
|
||||
set_priority:
|
||||
priority: 50
|
||||
min_age: 30d
|
||||
so-logs-pulse_connect_secure_x_log:
|
||||
index_sorting: false
|
||||
index_template:
|
||||
|
||||
@@ -343,6 +343,9 @@ elasticsearch:
|
||||
so-logs-azure_x_springcloudlogs: *indexSettings
|
||||
so-logs-barracuda_x_waf: *indexSettings
|
||||
so-logs-cisco_asa_x_log: *indexSettings
|
||||
so-logs-cisco_ftd_x_log: *indexSettings
|
||||
so-logs-cisco_ios_x_log: *indexSettings
|
||||
so-logs-cisco_ise_x_log: *indexSettings
|
||||
so-logs-cloudflare_x_audit: *indexSettings
|
||||
so-logs-cloudflare_x_logpull: *indexSettings
|
||||
so-logs-crowdstrike_x_falcon: *indexSettings
|
||||
@@ -383,6 +386,8 @@ elasticsearch:
|
||||
so-logs-google_workspace_x_user_accounts: *indexSettings
|
||||
so-logs-http_endpoint_x_generic: *indexSettings
|
||||
so-logs-httpjson_x_generic: *indexSettings
|
||||
so-logs-iis_x_access: *indexSettings
|
||||
so-logs-iis_x_error: *indexSettings
|
||||
so-logs-juniper_x_junos: *indexSettings
|
||||
so-logs-juniper_x_netscreen: *indexSettings
|
||||
so-logs-juniper_x_srx: *indexSettings
|
||||
@@ -396,11 +401,19 @@ elasticsearch:
|
||||
so-logs-m365_defender_x_log: *indexSettings
|
||||
so-logs-microsoft_defender_endpoint_x_log: *indexSettings
|
||||
so-logs-microsoft_dhcp_x_log: *indexSettings
|
||||
so-logs-microsoft_sqlserver_x_audit: *indexSettings
|
||||
so-logs-microsoft_sqlserver_x_log: *indexSettings
|
||||
so-logs-mysql_x_error: *indexSettings
|
||||
so-logs-mysql_x_slowlog: *indexSettings
|
||||
so-logs-netflow_x_log: *indexSettings
|
||||
so-logs-o365_x_audit: *indexSettings
|
||||
so-logs-okta_x_system: *indexSettings
|
||||
so-logs-panw_x_panos: *indexSettings
|
||||
so-logs-pfsense_x_log: *indexSettings
|
||||
so-logs-proofpoint_tap_x_clicks_blocked: *indexSettings
|
||||
so-logs-proofpoint_tap_x_clicks_permitted: *indexSettings
|
||||
so-logs-proofpoint_tap_x_message_blocked: *indexSettings
|
||||
so-logs-proofpoint_tap_x_message_delivered: *indexSettings
|
||||
so-logs-sentinel_one_x_activity: *indexSettings
|
||||
so-logs-sentinel_one_x_agent: *indexSettings
|
||||
so-logs-sentinel_one_x_alert: *indexSettings
|
||||
|
||||
@@ -66,7 +66,8 @@ log_has_errors() {
|
||||
grep -vE "response from daemon: unauthorized" | \
|
||||
grep -vE "Reading first line of patchfile" | \
|
||||
grep -vE "Command failed with exit code" | \
|
||||
grep -vE "Running scope as unit" &> "$error_log"
|
||||
grep -vE "Running scope as unit" | \
|
||||
grep -vE "log-.*-pipeline_failed_attempts" &> "$error_log"
|
||||
|
||||
if [[ $? -eq 0 ]]; then
|
||||
# This function succeeds (returns 0) if errors are detected
|
||||
|
||||
Reference in New Issue
Block a user