From 5090854d4de8d66b488cfb2943716fbb1abc05c5 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 03:03:55 +0000 Subject: [PATCH 1/5] Add additional component templates and index template references --- .../templates/component/ecs/aws.json | 570 ++++++ .../templates/component/ecs/azure.json | 604 ++++++ .../templates/component/ecs/cef.json | 772 ++++++++ .../templates/component/ecs/checkpoint.json | 1615 ++++++++++++++++ .../templates/component/ecs/cisco.json | 620 +++++++ .../templates/component/ecs/cyberark.json | 305 +++ .../templates/component/ecs/fortinet.json | 1627 +++++++++++++++++ .../templates/component/ecs/gcp.json | 267 +++ .../component/ecs/google_workspace.json | 750 ++++++++ .../templates/component/ecs/juniper.json | 378 ++++ .../templates/component/ecs/microsoft.json | 265 +++ .../templates/component/ecs/misp.json | 425 +++++ .../templates/component/ecs/o365.json | 445 +++++ .../templates/component/ecs/okta.json | 293 +++ .../templates/component/ecs/redis.json | 50 + .../templates/component/ecs/snyk.json | 147 ++ .../templates/component/ecs/sophos.json | 722 ++++++++ .../templates/component/ecs/syslog.json | 30 + .../index/so/so-aws-template.json.jinja | 1 + .../index/so/so-azure-template.json.jinja | 1 + .../index/so/so-cef-template.json.jinja | 1 + .../so/so-checkpoint-template.json.jinja | 1 + .../index/so/so-cisco-template.json.jinja | 1 + .../index/so/so-cyberark-template.json.jinja | 1 + .../index/so/so-fortinet-template.json.jinja | 1 + .../index/so/so-gcp-template.json.jinja | 1 + .../so-google_workspace-template.json.jinja | 1 + .../index/so/so-juniper-template.json.jinja | 1 + .../index/so/so-microsoft-template.json.jinja | 1 + .../index/so/so-misp-template.json.jinja | 1 + .../index/so/so-o365-template.json.jinja | 1 + .../index/so/so-okta-template.json.jinja | 1 + .../index/so/so-redis-template.json.jinja | 1 + .../index/so/so-snyk-template.json.jinja | 1 + .../index/so/so-sophos-template.json.jinja | 1 + .../index/so/so-syslog-template.json.jinja | 1 + 36 files changed, 9903 insertions(+) create mode 100644 salt/elasticsearch/templates/component/ecs/aws.json create mode 100644 salt/elasticsearch/templates/component/ecs/azure.json create mode 100644 salt/elasticsearch/templates/component/ecs/cef.json create mode 100644 salt/elasticsearch/templates/component/ecs/checkpoint.json create mode 100644 salt/elasticsearch/templates/component/ecs/cisco.json create mode 100644 salt/elasticsearch/templates/component/ecs/cyberark.json create mode 100644 salt/elasticsearch/templates/component/ecs/fortinet.json create mode 100644 salt/elasticsearch/templates/component/ecs/gcp.json create mode 100644 salt/elasticsearch/templates/component/ecs/google_workspace.json create mode 100644 salt/elasticsearch/templates/component/ecs/juniper.json create mode 100644 salt/elasticsearch/templates/component/ecs/microsoft.json create mode 100644 salt/elasticsearch/templates/component/ecs/misp.json create mode 100644 salt/elasticsearch/templates/component/ecs/o365.json create mode 100644 salt/elasticsearch/templates/component/ecs/okta.json create mode 100644 salt/elasticsearch/templates/component/ecs/redis.json create mode 100644 salt/elasticsearch/templates/component/ecs/snyk.json create mode 100644 salt/elasticsearch/templates/component/ecs/sophos.json create mode 100644 salt/elasticsearch/templates/component/ecs/syslog.json diff --git a/salt/elasticsearch/templates/component/ecs/aws.json b/salt/elasticsearch/templates/component/ecs/aws.json new file mode 100644 index 000000000..ccea31e27 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/aws.json @@ -0,0 +1,570 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "aws": { + "properties": { + "cloudtrail": { + "properties": { + "additional_eventdata": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "console_login": { + "properties": { + "additional_eventdata": { + "properties": { + "login_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mfa_used": { + "type": "boolean" + }, + "mobile_version": { + "type": "boolean" + } + } + } + } + }, + "digest": { + "properties": { + "end_time": { + "type": "date" + }, + "log_files": { + "type": "nested" + }, + "newest_event_time": { + "type": "date" + }, + "oldest_event_time": { + "type": "date" + }, + "previous_hash_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "s3_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + } + } + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "flattened": { + "properties": { + "additional_eventdata": { + "type": "flattened" + }, + "request_parameters": { + "type": "flattened" + }, + "response_elements": { + "type": "flattened" + }, + "service_event_details": { + "type": "flattened" + } + } + }, + "insight_details": { + "type": "flattened" + }, + "management_event": { + "ignore_above": 1024, + "type": "keyword" + }, + "read_only": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_parameters": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response_elements": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "service_event_details": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "shared_event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_identity": { + "properties": { + "access_key_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "invoked_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_context": { + "properties": { + "creation_date": { + "type": "date" + }, + "mfa_authenticated": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_issuer": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc_endpoint_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloudwatch": { + "properties": { + "message": { + "norms": false, + "type": "text" + } + } + }, + "ec2": { + "properties": { + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elb": { + "properties": { + "action_executed": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend": { + "properties": { + "http": { + "properties": { + "response": { + "properties": { + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "backend_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "chosen_cert": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "error": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incoming_tls_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "listener": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "response_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "ssl_cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_group": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_handshake_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "tls_named_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "s3access": { + "properties": { + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket_owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_sent": { + "type": "long" + }, + "cipher_suite": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_header": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_size": { + "type": "long" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "requester": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_time": { + "type": "long" + }, + "turn_around_time": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpcflow": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "pkt_dstaddr": { + "type": "ip" + }, + "pkt_srcaddr": { + "type": "ip" + }, + "subnet_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_array": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/azure.json b/salt/elasticsearch/templates/component/ecs/azure.json new file mode 100644 index 000000000..5e1acaae5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/azure.json @@ -0,0 +1,604 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "azure": { + "properties": { + "activitylogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "properties": { + "authorization": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_definition_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "claims": { + "properties": { + "*": { + "type": "object" + } + } + }, + "claims_initiated_by_user": { + "properties": { + "fullname": { + "ignore_above": 1024, + "type": "keyword" + }, + "givenname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "schema": { + "ignore_above": 1024, + "type": "keyword" + }, + "surname": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "type": "flattened" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auditlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "activity_datetime": { + "type": "date" + }, + "activity_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "properties": { + "app": { + "properties": { + "appId": { + "ignore_above": 1024, + "type": "keyword" + }, + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "logged_by_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_resources": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_properties": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "consumer_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "enqueued_time": { + "type": "date" + }, + "eventhub": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "partition_id": { + "type": "long" + }, + "platformlogs": { + "properties": { + "ActivityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Caller": { + "ignore_above": 1024, + "type": "keyword" + }, + "Cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "Environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventTimeString": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScaleUnit": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ccpNamespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "type": "flattened" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "authorization_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence_number": { + "type": "long" + }, + "signinlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "app_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_processing_details": { + "type": "flattened" + }, + "authentication_requirement": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_requirement_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "autonomous_system_number": { + "type": "long" + }, + "client_app_used": { + "ignore_above": 1024, + "type": "keyword" + }, + "conditional_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cross_tenant_access_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_detail": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operating_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "trust_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flagged_for_review": { + "type": "boolean" + }, + "home_tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_interactive": { + "type": "boolean" + }, + "is_tenant_restricted": { + "type": "boolean" + }, + "original_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "processing_time_ms": { + "type": "float" + }, + "resource_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_event_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_event_types_v2": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_aggregated": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_during_signin": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sso_extension_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "error_code": { + "type": "long" + } + } + }, + "token_issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "token_issuer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subscription_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/cef.json b/salt/elasticsearch/templates/component/ecs/cef.json new file mode 100644 index 000000000..376fbf26a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cef.json @@ -0,0 +1,772 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cef": { + "properties": { + "device": { + "properties": { + "event_class_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extensions": { + "properties": { + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentAddress": { + "type": "ip" + }, + "agentDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentReceiptTime": { + "type": "date" + }, + "agentTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedAddress": { + "type": "ip" + }, + "agentTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentType": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "applicationProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "baseEventCount": { + "type": "long" + }, + "bytesIn": { + "type": "long" + }, + "bytesOut": { + "type": "long" + }, + "categoryBehavior": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceGroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryObject": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "categorySignificance": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryTechnique": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationAddress": { + "type": "ip" + }, + "destinationDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationGeoLatitude": { + "type": "double" + }, + "destinationGeoLongitude": { + "type": "double" + }, + "destinationHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationPort": { + "type": "long" + }, + "destinationProcessId": { + "type": "long" + }, + "destinationProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedAddress": { + "type": "ip" + }, + "destinationTranslatedPort": { + "type": "long" + }, + "destinationTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAddress": { + "type": "ip" + }, + "deviceCustomDate1": { + "type": "date" + }, + "deviceCustomDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomDate2": { + "type": "date" + }, + "deviceCustomDate2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint1": { + "type": "double" + }, + "deviceCustomFloatingPoint1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint2": { + "type": "double" + }, + "deviceCustomFloatingPoint2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint3": { + "type": "double" + }, + "deviceCustomFloatingPoint3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint4": { + "type": "double" + }, + "deviceCustomFloatingPoint4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address1": { + "type": "ip" + }, + "deviceCustomIPv6Address1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address2": { + "type": "ip" + }, + "deviceCustomIPv6Address2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address3": { + "type": "ip" + }, + "deviceCustomIPv6Address3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address4": { + "type": "ip" + }, + "deviceCustomIPv6Address4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber1": { + "type": "long" + }, + "deviceCustomNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber2": { + "type": "long" + }, + "deviceCustomNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber3": { + "type": "long" + }, + "deviceCustomNumber3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceDirection": { + "type": "long" + }, + "deviceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceEventCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceExternalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFacility": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber1": { + "type": "long" + }, + "deviceFlexNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber2": { + "type": "long" + }, + "deviceFlexNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceInboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceOutboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "devicePayloadId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceProcessId": { + "type": "long" + }, + "deviceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceReceiptTime": { + "type": "date" + }, + "deviceTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedAddress": { + "type": "ip" + }, + "deviceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "endTime": { + "type": "date" + }, + "eventId": { + "type": "long" + }, + "eventOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "externalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileCreateTime": { + "type": "date" + }, + "fileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileModificationTime": { + "type": "date" + }, + "filePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileSize": { + "type": "long" + }, + "fileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexDate1": { + "type": "date" + }, + "flexDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "ifname": { + "ignore_above": 1024, + "type": "keyword" + }, + "inzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "loguid": { + "ignore_above": 1024, + "type": "keyword" + }, + "managerReceiptTime": { + "type": "date" + }, + "match_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileCreateTime": { + "type": "date" + }, + "oldFileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileModificationTime": { + "type": "date" + }, + "oldFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileSize": { + "type": "long" + }, + "oldFileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "ignore_above": 1024, + "type": "keyword" + }, + "originsicname": { + "ignore_above": 1024, + "type": "keyword" + }, + "outzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawEvent": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestClientApplication": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestContext": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestCookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestMethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequencenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceAddress": { + "type": "ip" + }, + "sourceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceGeoLatitude": { + "type": "double" + }, + "sourceGeoLongitude": { + "type": "double" + }, + "sourceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourcePort": { + "type": "long" + }, + "sourceProcessId": { + "type": "long" + }, + "sourceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedAddress": { + "type": "ip" + }, + "sourceTranslatedPort": { + "type": "long" + }, + "sourceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "transportProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "type": "long" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/checkpoint.json b/salt/elasticsearch/templates/component/ecs/checkpoint.json new file mode 100644 index 000000000..bb2f8f6de --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/checkpoint.json @@ -0,0 +1,1615 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "checkpoint": { + "properties": { + "action_reason": { + "type": "long" + }, + "action_reason_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocated_ports": { + "type": "long" + }, + "analyzed_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "answer_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "anti_virus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "type": "long" + }, + "app_package": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_repackaged": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sid_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "appi_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "arrival_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "attachments_num": { + "type": "long" + }, + "attack_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "authority_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "authorization": { + "ignore_above": 1024, + "type": "keyword" + }, + "bcc": { + "ignore_above": 1024, + "type": "keyword" + }, + "blade_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "broker_publisher": { + "type": "ip" + }, + "browse_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "c_bytes": { + "type": "long" + }, + "calc_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "capacity": { + "type": "long" + }, + "capture_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "cgnet": { + "ignore_above": 1024, + "type": "keyword" + }, + "chunk_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence_level": { + "type": "long" + }, + "connection_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "conns_amount": { + "type": "long" + }, + "content_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_risk": { + "type": "long" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_num": { + "type": "long" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieI": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieR": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_message": { + "type": "long" + }, + "cvpn_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvpn_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce-rpc_interface_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "detected_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "developer_certificate_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "diameter_app_ID": { + "type": "long" + }, + "diameter_cmd_code": { + "type": "long" + }, + "diameter_msg_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_action_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_additional_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_files_number": { + "type": "long" + }, + "dlp_fingerprint_long_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_short_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_recipients": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_related_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_relevant_data_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_directories_number": { + "type": "long" + }, + "dlp_repository_files_number": { + "type": "long" + }, + "dlp_repository_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_not_scanned_directories_percentage": { + "type": "long" + }, + "dlp_repository_reached_directories_number": { + "type": "long" + }, + "dlp_repository_root_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_scan_progress": { + "type": "long" + }, + "dlp_repository_scanned_directories_number": { + "type": "long" + }, + "dlp_repository_scanned_files_number": { + "type": "long" + }, + "dlp_repository_scanned_total_size": { + "type": "long" + }, + "dlp_repository_skipped_files_number": { + "type": "long" + }, + "dlp_repository_total_size": { + "type": "long" + }, + "dlp_repository_unreachable_directories_number": { + "type": "long" + }, + "dlp_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_template_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_transint": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_violation_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_watermark_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_word_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "drop_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_incoming": { + "type": "long" + }, + "dropped_outgoing": { + "type": "long" + }, + "dropped_total": { + "type": "long" + }, + "drops_amount": { + "type": "long" + }, + "dst_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstkeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duplicate": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control_analysis": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_recipients_num": { + "type": "long" + }, + "email_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spam_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "emulated_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "encryption_failure": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_user_firewall_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_associated_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_noncompliance_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_scan_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_count": { + "type": "long" + }, + "expire_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_hit_time": { + "type": "long" + }, + "frequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "fs-proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_subproduct": { + "ignore_above": 1024, + "type": "keyword" + }, + "hide_ip": { + "type": "ip" + }, + "hit": { + "type": "long" + }, + "host_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_location": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_more_info": { + "type": "long" + }, + "icap_server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_server_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_service_id": { + "type": "long" + }, + "icmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "id": { + "type": "long" + }, + "identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "impacted_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "info": { + "ignore_above": 1024, + "type": "keyword" + }, + "information": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_item": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_settings_log": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed_products": { + "ignore_above": 1024, + "type": "keyword" + }, + "int_end": { + "type": "long" + }, + "int_start": { + "type": "long" + }, + "integrity_av_invoke_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "internal_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalid_file_size": { + "type": "long" + }, + "ip_option": { + "type": "long" + }, + "isp_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_hit_time": { + "type": "long" + }, + "last_rematch_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit_applied": { + "type": "long" + }, + "limit_requested": { + "type": "long" + }, + "link_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "links_num": { + "type": "long" + }, + "log_delay": { + "type": "long" + }, + "log_id": { + "type": "long" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "long_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_family": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_fk": { + "type": "long" + }, + "match_id": { + "type": "long" + }, + "matched_file": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_file_percentage": { + "type": "long" + }, + "matched_file_text_segments": { + "type": "long" + }, + "media_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_size": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "methods": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mirror_and_decrypt_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_collection": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_command_and_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_credential_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_defense_evasion": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_discovery": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_exfiltration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_initial_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_lateral_movement": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_persistence": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_privilege_escalation": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat46": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "type": "long" + }, + "nat_exhausted_pool": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "type": "long" + }, + "needs_browse_time": { + "type": "long" + }, + "next_hop_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_scheduled_scan_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "number_of_errors": { + "type": "long" + }, + "objecttable": { + "ignore_above": 1024, + "type": "keyword" + }, + "objecttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_comment": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_sic_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_amount": { + "type": "long" + }, + "packet_capture_unique_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "type": "long" + }, + "peer_gateway": { + "type": "ip" + }, + "peer_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_ip_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "type": "long" + }, + "policy_mgmt": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ports_usage": { + "type": "long" + }, + "ppp": { + "ignore_above": 1024, + "type": "keyword" + }, + "precise_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_machine_name": { + "type": "long" + }, + "proxy_src_ip": { + "type": "ip" + }, + "proxy_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "question_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_parent_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_self_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_ip-phones": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rematch_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediated_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_status": { + "type": "long" + }, + "risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "rpc_prog": { + "type": "long" + }, + "rule": { + "type": "long" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rulebase_id": { + "type": "long" + }, + "scan_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_hosts_day": { + "type": "long" + }, + "scan_hosts_hour": { + "type": "long" + }, + "scan_hosts_week": { + "type": "long" + }, + "scan_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_mail": { + "type": "long" + }, + "scan_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_results": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_download_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_total_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrubbed_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_association_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "securexl_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_communication": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_hashes": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "similiar_iocs": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "special_properties": { + "type": "long" + }, + "specific_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "spyware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "srckeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subs_exp": { + "type": "date" + }, + "subscriber": { + "type": "ip" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppressed_logs": { + "type": "long" + }, + "sync": { + "ignore_above": 1024, + "type": "keyword" + }, + "sys_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_end_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_packet_out_of_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "te_verdict_determined_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ticket_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_server_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_archive_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_attachments": { + "type": "long" + }, + "triggered_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_detected_day": { + "type": "long" + }, + "unique_detected_hour": { + "type": "long" + }, + "unique_detected_week": { + "type": "long" + }, + "update_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "via": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_action_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_sz": { + "type": "long" + }, + "voip_call_dir": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_term_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_config": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_est_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_exp": { + "type": "long" + }, + "voip_from_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_ipp": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reason_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reg_int": { + "type": "long" + }, + "voip_reg_ipp": { + "type": "long" + }, + "voip_reg_period": { + "type": "long" + }, + "voip_reg_server": { + "type": "ip" + }, + "voip_reg_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reject_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_to_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn_feature_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "watermark": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_server_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "word_list": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/cisco.json b/salt/elasticsearch/templates/component/ecs/cisco.json new file mode 100644 index 000000000..3800b79fc --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cisco.json @@ -0,0 +1,620 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cisco": { + "properties": { + "amp": { + "properties": { + "bp_data": { + "type": "flattened" + }, + "cloud_ioc": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_description": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "properties": { + "arguments": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "computer": { + "properties": { + "active": { + "type": "boolean" + }, + "connector_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_ip": { + "type": "ip" + }, + "network_addresses": { + "type": "flattened" + } + } + }, + "connector_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "detection": { + "ignore_above": 1024, + "type": "keyword" + }, + "detection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "archived_file": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "attack_details": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "attacked_module": { + "ignore_above": 1024, + "type": "keyword" + }, + "base_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicators": { + "type": "flattened" + }, + "suspicious_files": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group_guids": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_tactics": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_techniques": { + "ignore_above": 1024, + "type": "keyword" + }, + "network_info": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "nfm": { + "properties": { + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "parent": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "identify": { + "properties": { + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "related": { + "properties": { + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "clean": { + "type": "boolean" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "malicious_detections": { + "type": "long" + }, + "scanned_files": { + "type": "long" + }, + "scanned_paths": { + "type": "long" + }, + "scanned_processes": { + "type": "long" + } + } + }, + "tactics": { + "type": "flattened" + }, + "techniques": { + "type": "flattened" + }, + "threat_hunting": { + "properties": { + "incident_end_time": { + "type": "date" + }, + "incident_hunt_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_report_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_start_time": { + "type": "date" + }, + "incident_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactics": { + "type": "flattened" + }, + "techniques": { + "type": "flattened" + } + } + }, + "timestamp_nanoseconds": { + "type": "date" + }, + "vulnerabilities": { + "type": "flattened" + } + } + }, + "asa": { + "properties": { + "assigned_ip": { + "type": "ip" + }, + "burst": { + "properties": { + "avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "cumulative_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "current_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line_arguments": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "privilege": { + "properties": { + "new": { + "ignore_above": 1024, + "type": "keyword" + }, + "old": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnel_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "webvpn": { + "properties": { + "group_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ftd": { + "properties": { + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "type": "object" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "webvpn": { + "properties": { + "group_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ios": { + "properties": { + "access_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "umbrella": { + "properties": { + "amp_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_malware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_detections": { + "ignore_above": 1024, + "type": "keyword" + }, + "blocked_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "datacenter": { + "ignore_above": 1024, + "type": "keyword" + }, + "identities": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "puas": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha_sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/cyberark.json b/salt/elasticsearch/templates/component/ecs/cyberark.json new file mode 100644 index 000000000..20e90f6ea --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/cyberark.json @@ -0,0 +1,305 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "cyberarkpas": { + "properties": { + "audit": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "ca_properties": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_disabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_error_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpm_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "customer": { + "ignore_above": 1024, + "type": "keyword" + }, + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dual_account_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_process": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_fail_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_change": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_reconciliation": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_success_verification": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_task": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "other": { + "type": "flattened" + }, + "policy_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + }, + "privcloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "reset_immediately": { + "ignore_above": 1024, + "type": "keyword" + }, + "retries_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "extra_details": { + "properties": { + "ad_process_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ad_process_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_component_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "other": { + "type": "flattened" + }, + "process_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "psmid": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway_station": { + "type": "ip" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "iso_timestamp": { + "type": "date" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "doc_values": false, + "ignore_above": 4096, + "index": false, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "pvwa_details": { + "type": "flattened" + }, + "raw": { + "doc_values": false, + "ignore_above": 4096, + "index": false, + "type": "keyword" + }, + "reason": { + "norms": false, + "type": "text" + }, + "rfc5424": { + "type": "boolean" + }, + "safe": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "station": { + "type": "ip" + }, + "target_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/fortinet.json b/salt/elasticsearch/templates/component/ecs/fortinet.json new file mode 100644 index 000000000..1f9b7496d --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/fortinet.json @@ -0,0 +1,1627 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "fortinet": { + "properties": { + "file": { + "properties": { + "hash": { + "properties": { + "crc32": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "acct_stat": { + "ignore_above": 1024, + "type": "keyword" + }, + "acktime": { + "ignore_above": 1024, + "type": "keyword" + }, + "act": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "type": "ip" + }, + "addr_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "addrgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "adgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "admin": { + "ignore_above": 1024, + "type": "keyword" + }, + "age": { + "type": "long" + }, + "agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarmid": { + "type": "long" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticscksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticssubmit": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "appact": { + "ignore_above": 1024, + "type": "keyword" + }, + "appid": { + "type": "long" + }, + "applist": { + "ignore_above": 1024, + "type": "keyword" + }, + "apprisk": { + "ignore_above": 1024, + "type": "keyword" + }, + "apscan": { + "ignore_above": 1024, + "type": "keyword" + }, + "apsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "apstatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "aptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "assigned": { + "type": "ip" + }, + "assignip": { + "type": "ip" + }, + "attachment": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontext": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontextid": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackid": { + "type": "long" + }, + "auditid": { + "type": "long" + }, + "auditscore": { + "ignore_above": 1024, + "type": "keyword" + }, + "audittime": { + "type": "long" + }, + "authgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "authid": { + "ignore_above": 1024, + "type": "keyword" + }, + "authproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "authserver": { + "ignore_above": 1024, + "type": "keyword" + }, + "bandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "banword": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetip": { + "type": "ip" + }, + "bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "carrier_ep": { + "ignore_above": 1024, + "type": "keyword" + }, + "cat": { + "type": "long" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "cdrcontent": { + "ignore_above": 1024, + "type": "keyword" + }, + "centralnatid": { + "type": "long" + }, + "cert": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "certhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgattr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgobj": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgpath": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtxpower": { + "type": "long" + }, + "channel": { + "type": "long" + }, + "channeltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "chassisid": { + "type": "long" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "chgheaders": { + "ignore_above": 1024, + "type": "keyword" + }, + "cldobjid": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "clouduser": { + "ignore_above": 1024, + "type": "keyword" + }, + "column": { + "type": "long" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "configcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "conserve": { + "ignore_above": 1024, + "type": "keyword" + }, + "constraint": { + "ignore_above": 1024, + "type": "keyword" + }, + "contentdisarmed": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "countapp": { + "type": "long" + }, + "countav": { + "type": "long" + }, + "countcifs": { + "type": "long" + }, + "countdlp": { + "type": "long" + }, + "countdns": { + "type": "long" + }, + "countemail": { + "type": "long" + }, + "countff": { + "type": "long" + }, + "countips": { + "type": "long" + }, + "countssh": { + "type": "long" + }, + "countssl": { + "type": "long" + }, + "countwaf": { + "type": "long" + }, + "countweb": { + "type": "long" + }, + "cpu": { + "type": "long" + }, + "craction": { + "type": "long" + }, + "criticalcount": { + "type": "long" + }, + "crl": { + "ignore_above": 1024, + "type": "keyword" + }, + "crlevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "crscore": { + "type": "long" + }, + "cveid": { + "ignore_above": 1024, + "type": "keyword" + }, + "daemon": { + "ignore_above": 1024, + "type": "keyword" + }, + "datarange": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "ddnsserver": { + "type": "ip" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "detectionmethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "devcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "devintfname": { + "ignore_above": 1024, + "type": "keyword" + }, + "devtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "dintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "ignore_above": 1024, + "type": "keyword" + }, + "disklograte": { + "type": "long" + }, + "dlpextra": { + "ignore_above": 1024, + "type": "keyword" + }, + "docsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlauthstate": { + "type": "long" + }, + "domainctrlauthtype": { + "type": "long" + }, + "domainctrldomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlip": { + "type": "ip" + }, + "domainctrlname": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlprotocoltype": { + "type": "long" + }, + "domainctrlusername": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainfilteridx": { + "type": "long" + }, + "domainfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "ds": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstserver": { + "type": "long" + }, + "dstssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstunauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eapolcnt": { + "type": "long" + }, + "eapoltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "encrypt": { + "type": "long" + }, + "encryption": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch": { + "type": "long" + }, + "espauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "esptransform": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "exch": { + "ignore_above": 1024, + "type": "keyword" + }, + "exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "expectedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiry": { + "ignore_above": 1024, + "type": "keyword" + }, + "fams_pause": { + "type": "long" + }, + "fazlograte": { + "type": "long" + }, + "fctemssn": { + "ignore_above": 1024, + "type": "keyword" + }, + "fctuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "filefilter": { + "ignore_above": 1024, + "type": "keyword" + }, + "filehashsrc": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtercat": { + "ignore_above": 1024, + "type": "keyword" + }, + "filteridx": { + "type": "long" + }, + "filtername": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtertype": { + "ignore_above": 1024, + "type": "keyword" + }, + "fortiguardresp": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwardedfor": { + "ignore_above": 1024, + "type": "keyword" + }, + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "frametype": { + "ignore_above": 1024, + "type": "keyword" + }, + "freediskstorage": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "from_vcluster": { + "type": "long" + }, + "fsaverdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "fwserver_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "type": "ip" + }, + "green": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupid": { + "type": "long" + }, + "ha-prio": { + "type": "long" + }, + "ha_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "ha_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "handshake": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hbdn_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "highcount": { + "type": "long" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "iaid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "type": "long" + }, + "in_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentserialno": { + "type": "long" + }, + "infected": { + "type": "long" + }, + "infectedfilelevel": { + "type": "long" + }, + "informationsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "init": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "intf": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalidmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "iptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "keyword": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "lanin": { + "type": "long" + }, + "lanout": { + "type": "long" + }, + "lease": { + "type": "long" + }, + "license_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit": { + "type": "long" + }, + "line": { + "ignore_above": 1024, + "type": "keyword" + }, + "live": { + "type": "long" + }, + "local": { + "type": "ip" + }, + "log": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "ignore_above": 1024, + "type": "keyword" + }, + "lowcount": { + "type": "long" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "malform_data": { + "type": "long" + }, + "malform_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "manuf": { + "ignore_above": 1024, + "type": "keyword" + }, + "masterdstmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mastersrcmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mediumcount": { + "type": "long" + }, + "mem": { + "type": "long" + }, + "meshmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mgmtcnt": { + "type": "long" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-name": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mpsk": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "ignore_above": 1024, + "type": "keyword" + }, + "netid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "newchannel": { + "type": "long" + }, + "newchassisid": { + "type": "long" + }, + "newslot": { + "type": "long" + }, + "nextstat": { + "type": "long" + }, + "nf_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "noise": { + "type": "long" + }, + "old_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldchannel": { + "type": "long" + }, + "oldchassisid": { + "type": "long" + }, + "oldslot": { + "type": "long" + }, + "oldsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldwprof": { + "ignore_above": 1024, + "type": "keyword" + }, + "onwire": { + "ignore_above": 1024, + "type": "keyword" + }, + "opercountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "opertxpower": { + "type": "long" + }, + "osname": { + "ignore_above": 1024, + "type": "keyword" + }, + "osversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "outintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "passedcount": { + "type": "long" + }, + "passwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_notif": { + "ignore_above": 1024, + "type": "keyword" + }, + "phase2_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "policytype": { + "ignore_above": 1024, + "type": "keyword" + }, + "poolname": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "portbegin": { + "type": "long" + }, + "portend": { + "type": "long" + }, + "probeproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "processtime": { + "type": "long" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "profilegroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "profiletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtypeval": { + "type": "long" + }, + "quarskip": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaexceeded": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotamax": { + "type": "long" + }, + "quotatype": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaused": { + "type": "long" + }, + "radioband": { + "ignore_above": 1024, + "type": "keyword" + }, + "radioid": { + "type": "long" + }, + "radioidclosest": { + "type": "long" + }, + "radioiddetected": { + "type": "long" + }, + "rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdataid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcvddelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received": { + "type": "long" + }, + "receivedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "red": { + "ignore_above": 1024, + "type": "keyword" + }, + "referralurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote": { + "type": "ip" + }, + "remotewtptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "reporttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "reqtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "rssi": { + "type": "long" + }, + "rsso_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruledata": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanned": { + "type": "long" + }, + "scantime": { + "type": "long" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensitivity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor": { + "ignore_above": 1024, + "type": "keyword" + }, + "sentdelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "serialno": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "type": "long" + }, + "setuprate": { + "type": "long" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperdroprcvdbyte": { + "type": "long" + }, + "shaperdropsentbyte": { + "type": "long" + }, + "shaperperipdropbyte": { + "type": "long" + }, + "shaperperipname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperrcvdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapersentname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapingpolicyid": { + "type": "long" + }, + "signal": { + "type": "long" + }, + "size": { + "type": "long" + }, + "slot": { + "type": "long" + }, + "sn": { + "ignore_above": 1024, + "type": "keyword" + }, + "snclosest": { + "ignore_above": 1024, + "type": "keyword" + }, + "sndetected": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmeshparent": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "srccountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcname": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcserver": { + "type": "long" + }, + "srcssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sscname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssllocal": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslremote": { + "ignore_above": 1024, + "type": "keyword" + }, + "stacount": { + "type": "long" + }, + "stage": { + "ignore_above": 1024, + "type": "keyword" + }, + "stamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "stitch": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "submodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "subservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "suspicious": { + "type": "long" + }, + "switchproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sysuptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "tamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "threattype": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_vcluster": { + "type": "long" + }, + "total": { + "type": "long" + }, + "totalsession": { + "type": "long" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trandisp": { + "ignore_above": 1024, + "type": "keyword" + }, + "transid": { + "type": "long" + }, + "translationid": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "ignore_above": 1024, + "type": "keyword" + }, + "trueclntip": { + "type": "ip" + }, + "tunnelid": { + "type": "long" + }, + "tunnelip": { + "type": "ip" + }, + "tunneltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ui": { + "ignore_above": 1024, + "type": "keyword" + }, + "unauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "unit": { + "type": "long" + }, + "urlfilteridx": { + "type": "long" + }, + "urlfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "urltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "used_for_type": { + "type": "long" + }, + "utmaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "utmref": { + "ignore_above": 1024, + "type": "keyword" + }, + "vap": { + "ignore_above": 1024, + "type": "keyword" + }, + "vapmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "vcluster": { + "type": "long" + }, + "vcluster_member": { + "type": "long" + }, + "vcluster_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "vdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendorurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vip": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "virusid": { + "type": "long" + }, + "voip_proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntunnel": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntype": { + "ignore_above": 1024, + "type": "keyword" + }, + "vrf": { + "type": "long" + }, + "vulncat": { + "ignore_above": 1024, + "type": "keyword" + }, + "vulnid": { + "type": "long" + }, + "vulnname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlid": { + "type": "long" + }, + "vwlquality": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwpvlanid": { + "type": "long" + }, + "wanin": { + "type": "long" + }, + "wanoptapptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "wanout": { + "type": "long" + }, + "weakwepiv": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthuser": { + "ignore_above": 1024, + "type": "keyword" + }, + "xid": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/gcp.json b/salt/elasticsearch/templates/component/ecs/gcp.json new file mode 100644 index 000000000..5ac9dcbe4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/gcp.json @@ -0,0 +1,267 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "gcp": { + "properties": { + "audit": { + "properties": { + "authentication_info": { + "properties": { + "authority_selector": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_email": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "method_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "num_response_items": { + "type": "long" + }, + "request": { + "properties": { + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request_metadata": { + "properties": { + "caller_ip": { + "type": "ip" + }, + "caller_supplied_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_location": { + "properties": { + "current_locations": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "details": { + "properties": { + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "rule_details": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "vpcflow": { + "properties": { + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/google_workspace.json b/salt/elasticsearch/templates/component/ecs/google_workspace.json new file mode 100644 index 000000000..526bd9bb5 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/google_workspace.json @@ -0,0 +1,750 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "google_workspace": { + "properties": { + "actor": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "admin": { + "properties": { + "alert": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "api": { + "properties": { + "client": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scopes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "application": { + "properties": { + "asp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "edition": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_order_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_purchased": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bulk_upload": { + "properties": { + "failed": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "chrome_licenses": { + "properties": { + "allowed": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "chrome_os": { + "properties": { + "session_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "device": { + "properties": { + "command_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "distribution": { + "properties": { + "entity": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "secondary_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "log_search_filter": { + "properties": { + "end_date": { + "type": "date" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start_date": { + "type": "date" + } + } + }, + "quarantine_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_dump": { + "properties": { + "include_deleted": { + "type": "boolean" + }, + "package_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_monitor": { + "properties": { + "dest_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "properties": { + "chat": { + "ignore_above": 1024, + "type": "keyword" + }, + "draft": { + "ignore_above": 1024, + "type": "keyword" + }, + "incoming": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "allowed_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "priorities": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "info_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mdm": { + "properties": { + "token": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mobile": { + "properties": { + "action": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "certificate": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "company_owned_devices": { + "type": "long" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "non_featured_services_selection": { + "ignore_above": 1024, + "type": "keyword" + }, + "oauth2": { + "properties": { + "application": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_unit": { + "properties": { + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "print_server": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "printer": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "privilege": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sku": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "role": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "setting": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "birthdate": { + "type": "date" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "nickname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_defined_setting": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "verification_method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "drive": { + "properties": { + "added_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "billable": { + "type": "boolean" + }, + "destination_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_shared_drive": { + "type": "boolean" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "membership_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "originating_app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_event": { + "type": "boolean" + }, + "removed_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_settings_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sheets_import_range_recipient_doc": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility_change": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "groups": { + "properties": { + "acl_permission": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "member": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "moderation_action": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "setting": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "properties": { + "affected_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "challenge_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_second_factor": { + "type": "boolean" + }, + "is_suspicious": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saml": { + "properties": { + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "orgunit_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_level_status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/juniper.json b/salt/elasticsearch/templates/component/ecs/juniper.json new file mode 100644 index 000000000..33a5f61d6 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/juniper.json @@ -0,0 +1,378 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "juniper": { + "properties": { + "srx": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "apbr_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_characteristics": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_ip": { + "type": "ip" + }, + "connection_hit_rate": { + "type": "long" + }, + "connection_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_hit_rate": { + "type": "long" + }, + "context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_value_hit_rate": { + "type": "long" + }, + "ddos_application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dscp_value": { + "type": "long" + }, + "dst_nat_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_nat_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_vrf_grp": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed_time": { + "type": "date" + }, + "encrypted": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch_time": { + "type": "date" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "export_id": { + "type": "long" + }, + "feed_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_hash_lookup": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "type": "long" + }, + "inbound_bytes": { + "type": "long" + }, + "inbound_packets": { + "type": "long" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "logical_system_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_connection_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "nested_application": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj": { + "ignore_above": 1024, + "type": "keyword" + }, + "occur_count": { + "type": "long" + }, + "outbound_bytes": { + "type": "long" + }, + "outbound_packets": { + "type": "long" + }, + "packet_log_id": { + "type": "long" + }, + "peer_destination_address": { + "type": "ip" + }, + "peer_destination_port": { + "type": "long" + }, + "peer_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_source_address": { + "type": "ip" + }, + "peer_source_port": { + "type": "long" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "repeat_count": { + "type": "long" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing_instance": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleebase_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sample_sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "secure_web_proxy_session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id_32": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_nat_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_nat_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_vrf_grp": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "temporary_filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "th": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_count": { + "type": "long" + }, + "time_period": { + "type": "long" + }, + "time_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uplink_rx_bytes": { + "type": "long" + }, + "uplink_tx_bytes": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict_number": { + "type": "long" + }, + "verdict_source": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/microsoft.json b/salt/elasticsearch/templates/component/ecs/microsoft.json new file mode 100644 index 000000000..512b99c79 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/microsoft.json @@ -0,0 +1,265 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "microsoft": { + "properties": { + "defender_atp": { + "properties": { + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "aadUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "type": "ip" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdateTime": { + "type": "date" + }, + "rbacGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "m365_defender": { + "properties": { + "alerts": { + "properties": { + "actorName": { + "ignore_above": 1024, + "type": "keyword" + }, + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "creationTime": { + "type": "date" + }, + "detectionSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "devices": { + "type": "flattened" + }, + "entities": { + "properties": { + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "clusterBy": { + "ignore_above": 1024, + "type": "keyword" + }, + "deliveryAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailboxAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailboxDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryHive": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryValueType": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sender": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdatedTime": { + "type": "date" + }, + "mitreTechniques": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + }, + "userSid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentName": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirectIncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/misp.json b/salt/elasticsearch/templates/component/ecs/misp.json new file mode 100644 index 000000000..8150371ec --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/misp.json @@ -0,0 +1,425 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "misp": { + "properties": { + "attack_pattern": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "campaign": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "objective": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "course_of_action": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "contact_information": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sectors": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "intrusion_set": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + } + } + }, + "malware": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "note": { + "properties": { + "authors": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "ignore_above": 1024, + "type": "keyword" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observed_data": { + "properties": { + "first_observed": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_observed": { + "type": "date" + }, + "number_observed": { + "type": "long" + }, + "objects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "report": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "norms": false, + "type": "text" + }, + "published": { + "type": "date" + } + } + }, + "threat_actor": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "personal_motivations": { + "norms": false, + "type": "text" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "roles": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + }, + "sophistication": { + "norms": false, + "type": "text" + } + } + }, + "threat_indicator": { + "properties": { + "attack_pattern": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_pattern_kql": { + "ignore_above": 1024, + "type": "keyword" + }, + "campaign": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "feed": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "intrusion_set": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_tactic": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_technique": { + "ignore_above": 1024, + "type": "keyword" + }, + "negate": { + "type": "boolean" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_actor": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "valid_from": { + "type": "date" + }, + "valid_until": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "norms": false, + "type": "text" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tool_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/o365.json b/salt/elasticsearch/templates/component/ecs/o365.json new file mode 100644 index 000000000..d1bdb29b1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/o365.json @@ -0,0 +1,445 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "o365": { + "properties": { + "audit": { + "properties": { + "AADGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorIpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorYammerUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertEntityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AzureActiveDirectoryEventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIP": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIPAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfoString": { + "ignore_above": 1024, + "type": "keyword" + }, + "Comments": { + "norms": false, + "type": "text" + }, + "CommunicationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorrelationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CustomUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Data": { + "ignore_above": 1024, + "type": "keyword" + }, + "DataType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DoNotDistributeEvent": { + "type": "boolean" + }, + "EntityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ErrorNumber": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventData": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExceptionInfo": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExchangeMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExtendedProperties": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExternalAccess": { + "ignore_above": 1024, + "type": "keyword" + }, + "FromApp": { + "type": "boolean" + }, + "GroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImplicitShare": { + "ignore_above": 1024, + "type": "keyword" + }, + "IncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InterSystemsId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InternalLogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntraSystemId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IsDocLib": { + "type": "boolean" + }, + "Item": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + }, + "type": "object" + } + } + }, + "ItemCount": { + "type": "long" + }, + "ItemName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ItemType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListBaseTemplateType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListBaseType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListColor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListIcon": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListItemUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListTitle": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonError": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerMasterAccountSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerUPN": { + "ignore_above": 1024, + "type": "keyword" + }, + "Members": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ModifiedProperties": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + } + } + } + }, + "Name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginatingServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "Parameters": { + "properties": { + "*": { + "type": "object" + } + } + }, + "PolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "RecordType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ResultStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "SensitiveInfoDetectionIsIncluded": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "SharePointMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "Site": { + "ignore_above": 1024, + "type": "keyword" + }, + "SiteUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Source": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileExtension": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceRelativeUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "SupportTicketId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TemplateTypeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UniqueSharingId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAgent": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "WebId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workload": { + "ignore_above": 1024, + "type": "keyword" + }, + "YammerNetworkId": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/okta.json b/salt/elasticsearch/templates/component/ecs/okta.json new file mode 100644 index 000000000..dcfaab1c2 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/okta.json @@ -0,0 +1,293 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "okta": { + "properties": { + "actor": { + "properties": { + "alternate_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "authentication_context": { + "properties": { + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_step": { + "type": "long" + }, + "credential_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "credential_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user_agent": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "debug_context": { + "properties": { + "debug_data": { + "properties": { + "device_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "suspicious_activity": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_city": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_ip": { + "type": "ip" + }, + "event_latitude": { + "type": "float" + }, + "event_longitude": { + "type": "float" + }, + "event_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + } + } + }, + "threat_suspected": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "display_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "ip_chain": { + "properties": { + "geographical_context": { + "properties": { + "city": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "geolocation": { + "type": "geo_point" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "security_context": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_proxy": { + "type": "boolean" + }, + "isp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "type": "flattened" + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/redis.json b/salt/elasticsearch/templates/component/ecs/redis.json new file mode 100644 index 000000000..925f55c62 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/redis.json @@ -0,0 +1,50 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "redis": { + "properties": { + "log": { + "properties": { + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json new file mode 100644 index 000000000..ab0dcd2fb --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/snyk.json @@ -0,0 +1,147 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "snyk": { + "properties": { + "audit": { + "properties": { + "content": { + "type": "flattened" + }, + "org_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "projecre_above": 1024, + "type": "keyword" + } + } + }, + "projects": { + "type": "flattened" + }, + "related": { + "properties": { + "projects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerabilities": { + "properties": { + "credit": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss3": { + "ignore_above": 1024, + "type": "keyword" + }, + "disclosure_time": { + "type": "date" + }, + "exploit_maturity": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifiers": { + "properties": { + "alternative": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "introduced_date": { + "type": "date" + }, + "is_fixed": { + "type": "boolean" + }, + "is_ignored": { + "type": "boolean" + }, + "is_patchable": { + "type": "boolean" + }, + "is_patched": { + "type": "boolean" + }, + "is_pinnable": { + "type": "boolean" + }, + "is_upgradable": { + "type": "boolean" + }, + "jira_issue_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_severity": { + "type": "long" + }, + "package": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_manager": { + "ignore_above": 1024, + "type": "keyword" + }, + "patches": { + "type": "flattened" + }, + "priority_score": { + "type": "long" + }, + "publication_time": { + "type": "date" + }, + "reachability": { + "ignore_above": 1024, + "type": "keyword" + }, + "semver": { + "type": "flattened" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_severities_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/sophos.json b/salt/elasticsearch/templates/component/ecs/sophos.json new file mode 100644 index 000000000..a5606f962 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/sophos.json @@ -0,0 +1,722 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "sophos": { + "properties": { + "xg": { + "properties": { + "Configuration": { + "type": "float" + }, + "Mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "PHPSESSID": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reports": { + "type": "float" + }, + "Signature": { + "type": "float" + }, + "SysLog_SERVER_NAME": { + "ignore_above": 1024, + "type": "keyword" + }, + "Temp": { + "type": "float" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activityname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_is_cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "appfilter_policy_id": { + "type": "long" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_filter_policy": { + "type": "long" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "appresolvedby": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_client": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_mechanism": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backup_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "branch_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "category_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_physical_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "clients_conn_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "collisions": { + "type": "long" + }, + "con_id": { + "type": "long" + }, + "conn_id": { + "type": "long" + }, + "connectionname": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectiontype": { + "ignore_above": 1024, + "type": "keyword" + }, + "connevent": { + "ignore_above": 1024, + "type": "keyword" + }, + "connid": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_match": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_prefix": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "destinationip": { + "type": "ip" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dictionary_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dir_disp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_ip": { + "type": "ip" + }, + "dst_port": { + "type": "long" + }, + "dstdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ep_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtime": { + "type": "date" + }, + "eventtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "exceptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "execution_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "extra": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesize": { + "type": "long" + }, + "free": { + "type": "long" + }, + "from_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftpcommand": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_rule_id": { + "type": "long" + }, + "hb_health": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "httpresponsecode": { + "type": "long" + }, + "iap": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "idle_cpu": { + "type": "float" + }, + "idp_policy_id": { + "type": "long" + }, + "idp_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipaddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ips_policy_id": { + "type": "long" + }, + "localgateway": { + "ignore_above": 1024, + "type": "keyword" + }, + "localnetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_component": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "login_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailsize": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "newversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_authorizer": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_token": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "querystring": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received_pkts": { + "type": "long" + }, + "receiveddrops": { + "type": "long" + }, + "receivederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "receivedkbits": { + "type": "long" + }, + "recv_bytes": { + "type": "long" + }, + "red_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remotenetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "responsetime": { + "type": "long" + }, + "rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "sent_bytes": { + "type": "long" + }, + "sent_pkts": { + "type": "long" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1sum": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceip": { + "type": "ip" + }, + "spamaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "sqli": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_ip": { + "type": "ip" + }, + "src_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_port": { + "type": "long" + }, + "srczone": { + "ignore_above": 1024, + "type": "keyword" + }, + "srczonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "starttime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_cpu": { + "type": "float" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatname": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_memory": { + "type": "long" + }, + "trans_dst_ip": { + "type": "ip" + }, + "trans_dst_port": { + "type": "long" + }, + "trans_src_ip": { + "type": "ip" + }, + "trans_src_port": { + "type": "long" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "transactionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmitteddrops": { + "type": "long" + }, + "transmittederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmittedkbits": { + "type": "long" + }, + "unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "updatedip": { + "type": "ip" + }, + "upload_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "upload_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_cpu": { + "type": "float" + }, + "user_gp": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "users": { + "ignore_above": 1024, + "type": "keyword" + }, + "vconn_id": { + "type": "long" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "website": { + "ignore_above": 1024, + "type": "keyword" + }, + "xss": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/syslog.json b/salt/elasticsearch/templates/component/ecs/syslog.json new file mode 100644 index 000000000..c886589e9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/syslog.json @@ -0,0 +1,30 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "syslog": { + "properties": { + "facility": { + "type": "long" + }, + "facility_label": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "severity_label": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja index 09e61fa8a..9751fb0f3 100644 --- a/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-aws-template.json.jinja @@ -43,6 +43,7 @@ "composed_of": [ "agent-mappings", "dtc-agent-mappings", + "aws-mappings", "base-mappings", "dtc-base-mappings", "client-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja index 366acb167..f663e0b82 100644 --- a/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-azure-template.json.jinja @@ -43,6 +43,7 @@ "composed_of": [ "agent-mappings", "dtc-agent-mappings", + "azure-mappings", "base-mappings", "dtc-base-mappings", "client-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja index c47d36875..84e175a88 100644 --- a/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cef-template.json.jinja @@ -45,6 +45,7 @@ "dtc-agent-mappings", "base-mappings", "dtc-base-mappings", + "cef-mappings", "client-mappings", "cloud-mappings", "container-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja index 458c675ac..ee76932d4 100644 --- a/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-checkpoint-template.json.jinja @@ -45,6 +45,7 @@ "dtc-agent-mappings", "base-mappings", "dtc-base-mappings", + "checkpoint-mappings", "client-mappings", "cloud-mappings", "container-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja index b506026f8..6b8396815 100644 --- a/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cisco-template.json.jinja @@ -46,6 +46,7 @@ "dtc-agent-mappings", "base-mappings", "dtc-base-mappings", + "cisco-mappings", "client-mappings", "cloud-mappings", "container-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja index d0e2802e5..6644f274b 100644 --- a/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-cyberark-template.json.jinja @@ -48,6 +48,7 @@ "client-mappings", "cloud-mappings", "container-mappings", + "cyberark-mappings", "data_stream-mappings", "destination-mappings", "dll-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja index 00fa7be2a..d04193d31 100644 --- a/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-fortinet-template.json.jinja @@ -60,6 +60,7 @@ "dtc-event-mappings", "file-mappings", "dtc-file-mappings", + "fortinet-mappings", "group-mappings", "host-mappings", "dtc-host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja index aa964a52d..78a39f158 100644 --- a/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-gcp-template.json.jinja @@ -60,6 +60,7 @@ "dtc-event-mappings", "file-mappings", "dtc-file-mappings", + "gcp-mappings", "group-mappings", "host-mappings", "dtc-host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja index 5816a94f3..1aa207d57 100644 --- a/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-google_workspace-template.json.jinja @@ -60,6 +60,7 @@ "dtc-event-mappings", "file-mappings", "dtc-file-mappings", + "google_workspace-mappings", "group-mappings", "host-mappings", "dtc-host-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja index 1f2eca87c..a1aaa5cd0 100644 --- a/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-juniper-template.json.jinja @@ -65,6 +65,7 @@ "dtc-host-mappings", "http-mappings", "dtc-http-mappings", + "juniper-mappings", "log-mappings", "network-mappings", "dtc-network-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja index 6105b1e00..d0b7d2cbb 100644 --- a/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-microsoft-template.json.jinja @@ -66,6 +66,7 @@ "http-mappings", "dtc-http-mappings", "log-mappings", + "microsoft-mappings", "network-mappings", "dtc-network-mappings", "observer-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja index a2b2a0d63..046ffa6e7 100644 --- a/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-misp-template.json.jinja @@ -66,6 +66,7 @@ "http-mappings", "dtc-http-mappings", "log-mappings", + "misp-mappings", "network-mappings", "dtc-network-mappings", "observer-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja index c34cbbd37..da688ea75 100644 --- a/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-o365-template.json.jinja @@ -68,6 +68,7 @@ "log-mappings", "network-mappings", "dtc-network-mappings", + "o365-mappings", "observer-mappings", "dtc-observer-mappings", "orchestrator-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja index e45a664d9..26488c4b2 100644 --- a/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-okta-template.json.jinja @@ -70,6 +70,7 @@ "dtc-network-mappings", "observer-mappings", "dtc-observer-mappings", + "okta-mappings", "orchestrator-mappings", "organization-mappings", "package-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja index 8eb44cb87..8cf1a3777 100644 --- a/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-redis-template.json.jinja @@ -77,6 +77,7 @@ "dtc-process-mappings", "registry-mappings", "related-mappings", + "redis-mappings", "rule-mappings", "dtc-rule-mappings", "server-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja index c22a6d9bd..42cff57ce 100644 --- a/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-snyk-template.json.jinja @@ -82,6 +82,7 @@ "server-mappings", "service-mappings", "dtc-service-mappings", + "snyk-mappings", "source-mappings", "threat-mappings", "tls-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja index 1eda879fb..c8c95f178 100644 --- a/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-sophos-template.json.jinja @@ -82,6 +82,7 @@ "server-mappings", "service-mappings", "dtc-service-mappings", + "sophos-mappings", "source-mappings", "threat-mappings", "tls-mappings", diff --git a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja index af609836e..41215e262 100644 --- a/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-syslog-template.json.jinja @@ -83,6 +83,7 @@ "service-mappings", "dtc-service-mappings", "source-mappings", + "syslog-mappings", "threat-mappings", "tls-mappings", "tracing-mappings", From 2dd5db15b66b2266a62eea98f952c7ca88728776 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 03:40:42 +0000 Subject: [PATCH 2/5] Add component and index template listing scripts --- .../so-elasticsearch-component-templates-list | 23 +++++++++++++++++++ .../so-elasticsearch-index-templates-list | 23 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100755 salt/common/tools/sbin/so-elasticsearch-component-templates-list create mode 100755 salt/common/tools/sbin/so-elasticsearch-index-templates-list diff --git a/salt/common/tools/sbin/so-elasticsearch-component-templates-list b/salt/common/tools/sbin/so-elasticsearch-component-templates-list new file mode 100755 index 000000000..69deb1873 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-component-templates-list @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +. /usr/sbin/so-common +if [ "$1" == "" ]; then + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort +else + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq +fi diff --git a/salt/common/tools/sbin/so-elasticsearch-index-templates-list b/salt/common/tools/sbin/so-elasticsearch-index-templates-list new file mode 100755 index 000000000..84fecc565 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-index-templates-list @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +. /usr/sbin/so-common +if [ "$1" == "" ]; then + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort +else + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq +fi From 6d0ca6fcbbb49027467f7a1bf303edfa9e0cbc2f Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 12:59:07 +0000 Subject: [PATCH 3/5] Fix mangled key name/typo --- salt/elasticsearch/templates/component/ecs/snyk.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json index ab0dcd2fb..a8ed3889d 100644 --- a/salt/elasticsearch/templates/component/ecs/snyk.json +++ b/salt/elasticsearch/templates/component/ecs/snyk.json @@ -17,7 +17,7 @@ "ignore_above": 1024, "type": "keyword" }, - "projecre_above": 1024, + "ignore_above": 1024, "type": "keyword" } } From 2951e12c965c3fe9ff91b635b451c705aa91a899 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 13:16:59 +0000 Subject: [PATCH 4/5] Remove snyk component template for now and fix folder structure --- .../ecs/newcomponents/elasticsearch.json | 25 - .../component/ecs/newcomponents/kibana.json | 75 - .../component/ecs/newcomponents/logstash.json | 99 - .../component/ecs/newcomponents/netflow.json | 1423 ---------- .../component/ecs/newcomponents/suricata.json | 850 ------ .../component/ecs/newcomponents/zeek.json | 2279 ----------------- .../templates/component/ecs/snyk.json | 147 -- 7 files changed, 4898 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json delete mode 100644 salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json delete mode 100644 salt/elasticsearch/templates/component/ecs/snyk.json diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json deleted file mode 100644 index f409ed95a..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/elasticsearch.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "@timestamp": { - "type": "date" - }, - "labels": { - "type": "object" - }, - "message": { - "type": "match_only_text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } -} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json b/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json deleted file mode 100644 index d1ea67de7..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/kibana.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "kibana": { - "properties": { - "add_to_spaces": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delete_from_spaces": { - "ignore_above": 1024, - "type": "keyword" - }, - "log": { - "properties": { - "meta": { - "type": "object" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "lookup_realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "saved_object": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "space_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json b/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json deleted file mode 100644 index ecfb17551..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/logstash.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "logstash": { - "properties": { - "log": { - "properties": { - "log_event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "slowlog": { - "properties": { - "event": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_params": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_params_object": { - "type": "object" - }, - "plugin_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "took_in_millis": { - "type": "long" - } - } - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json b/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json deleted file mode 100644 index 10f34c3d4..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/netflow.json +++ /dev/null @@ -1,1423 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "netflow": { - "properties": { - "absolute_error": { - "type": "double" - }, - "address_pool_high_threshold": { - "type": "long" - }, - "address_pool_low_threshold": { - "type": "long" - }, - "address_port_mapping_high_threshold": { - "type": "long" - }, - "address_port_mapping_low_threshold": { - "type": "long" - }, - "address_port_mapping_per_user_high_threshold": { - "type": "long" - }, - "anonymization_flags": { - "type": "long" - }, - "anonymization_technique": { - "type": "long" - }, - "application_category_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_group_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_id": { - "type": "short" - }, - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_sub_category_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "bgp_destination_as_number": { - "type": "long" - }, - "bgp_next_adjacent_as_number": { - "type": "long" - }, - "bgp_next_hop_ipv4_address": { - "type": "ip" - }, - "bgp_next_hop_ipv6_address": { - "type": "ip" - }, - "bgp_prev_adjacent_as_number": { - "type": "long" - }, - "bgp_source_as_number": { - "type": "long" - }, - "bgp_validity_state": { - "type": "short" - }, - "biflow_direction": { - "type": "short" - }, - "class_id": { - "type": "long" - }, - "class_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification_engine_id": { - "type": "short" - }, - "collection_time_milliseconds": { - "type": "date" - }, - "collector_certificate": { - "type": "short" - }, - "collector_ipv4_address": { - "type": "ip" - }, - "collector_ipv6_address": { - "type": "ip" - }, - "collector_transport_port": { - "type": "long" - }, - "common_properties_id": { - "type": "long" - }, - "confidence_level": { - "type": "double" - }, - "connection_sum_duration_seconds": { - "type": "long" - }, - "connection_transaction_id": { - "type": "long" - }, - "data_link_frame_section": { - "type": "short" - }, - "data_link_frame_size": { - "type": "long" - }, - "data_link_frame_type": { - "type": "long" - }, - "data_records_reliability": { - "type": "boolean" - }, - "delta_flow_count": { - "type": "long" - }, - "destination_ipv4_address": { - "type": "ip" - }, - "destination_ipv4_prefix": { - "type": "ip" - }, - "destination_ipv4_prefix_length": { - "type": "short" - }, - "destination_ipv6_address": { - "type": "ip" - }, - "destination_ipv6_prefix": { - "type": "ip" - }, - "destination_ipv6_prefix_length": { - "type": "short" - }, - "destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_transport_port": { - "type": "long" - }, - "digest_hash_value": { - "type": "long" - }, - "distinct_count_of_destination_ip_address": { - "type": "long" - }, - "distinct_count_of_destination_ipv4_address": { - "type": "long" - }, - "distinct_count_of_destination_ipv6_address": { - "type": "long" - }, - "distinct_count_of_source_ip_address": { - "type": "long" - }, - "distinct_count_of_source_ipv4_address": { - "type": "long" - }, - "distinct_count_of_source_ipv6_address": { - "type": "long" - }, - "dot1q_customer_dei": { - "type": "boolean" - }, - "dot1q_customer_destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "dot1q_customer_priority": { - "type": "short" - }, - "dot1q_customer_source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "dot1q_customer_vlan_id": { - "type": "long" - }, - "dot1q_dei": { - "type": "boolean" - }, - "dot1q_priority": { - "type": "short" - }, - "dot1q_service_instance_id": { - "type": "long" - }, - "dot1q_service_instance_priority": { - "type": "short" - }, - "dot1q_service_instance_tag": { - "type": "short" - }, - "dot1q_vlan_id": { - "type": "long" - }, - "dropped_layer2_octet_delta_count": { - "type": "long" - }, - "dropped_layer2_octet_total_count": { - "type": "long" - }, - "dropped_octet_delta_count": { - "type": "long" - }, - "dropped_octet_total_count": { - "type": "long" - }, - "dropped_packet_delta_count": { - "type": "long" - }, - "dropped_packet_total_count": { - "type": "long" - }, - "dst_traffic_index": { - "type": "long" - }, - "egress_broadcast_packet_total_count": { - "type": "long" - }, - "egress_interface": { - "type": "long" - }, - "egress_interface_type": { - "type": "long" - }, - "egress_physical_interface": { - "type": "long" - }, - "egress_unicast_packet_total_count": { - "type": "long" - }, - "egress_vrfid": { - "type": "long" - }, - "encrypted_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "engine_id": { - "type": "short" - }, - "engine_type": { - "type": "short" - }, - "ethernet_header_length": { - "type": "short" - }, - "ethernet_payload_length": { - "type": "long" - }, - "ethernet_total_length": { - "type": "long" - }, - "ethernet_type": { - "type": "long" - }, - "export_interface": { - "type": "long" - }, - "export_protocol_version": { - "type": "short" - }, - "export_sctp_stream_id": { - "type": "long" - }, - "export_transport_protocol": { - "type": "short" - }, - "exported_flow_record_total_count": { - "type": "long" - }, - "exported_message_total_count": { - "type": "long" - }, - "exported_octet_total_count": { - "type": "long" - }, - "exporter": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_id": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "uptime_millis": { - "type": "long" - }, - "version": { - "type": "long" - } - } - }, - "exporter_certificate": { - "type": "short" - }, - "exporter_ipv4_address": { - "type": "ip" - }, - "exporter_ipv6_address": { - "type": "ip" - }, - "exporter_transport_port": { - "type": "long" - }, - "exporting_process_id": { - "type": "long" - }, - "external_address_realm": { - "type": "short" - }, - "firewall_event": { - "type": "short" - }, - "flags_and_sampler_id": { - "type": "long" - }, - "flow_active_timeout": { - "type": "long" - }, - "flow_direction": { - "type": "short" - }, - "flow_duration_microseconds": { - "type": "long" - }, - "flow_duration_milliseconds": { - "type": "long" - }, - "flow_end_delta_microseconds": { - "type": "long" - }, - "flow_end_microseconds": { - "type": "date" - }, - "flow_end_milliseconds": { - "type": "date" - }, - "flow_end_nanoseconds": { - "type": "date" - }, - "flow_end_reason": { - "type": "short" - }, - "flow_end_seconds": { - "type": "date" - }, - "flow_end_sys_up_time": { - "type": "long" - }, - "flow_id": { - "type": "long" - }, - "flow_idle_timeout": { - "type": "long" - }, - "flow_key_indicator": { - "type": "long" - }, - "flow_label_ipv6": { - "type": "long" - }, - "flow_sampling_time_interval": { - "type": "long" - }, - "flow_sampling_time_spacing": { - "type": "long" - }, - "flow_selected_flow_delta_count": { - "type": "long" - }, - "flow_selected_octet_delta_count": { - "type": "long" - }, - "flow_selected_packet_delta_count": { - "type": "long" - }, - "flow_selector_algorithm": { - "type": "long" - }, - "flow_start_delta_microseconds": { - "type": "long" - }, - "flow_start_microseconds": { - "type": "date" - }, - "flow_start_milliseconds": { - "type": "date" - }, - "flow_start_nanoseconds": { - "type": "date" - }, - "flow_start_seconds": { - "type": "date" - }, - "flow_start_sys_up_time": { - "type": "long" - }, - "forwarding_status": { - "type": "short" - }, - "fragment_flags": { - "type": "short" - }, - "fragment_identification": { - "type": "long" - }, - "fragment_offset": { - "type": "long" - }, - "global_address_mapping_high_threshold": { - "type": "long" - }, - "gre_key": { - "type": "long" - }, - "hash_digest_output": { - "type": "boolean" - }, - "hash_flow_domain": { - "type": "long" - }, - "hash_initialiser_value": { - "type": "long" - }, - "hash_ip_payload_offset": { - "type": "long" - }, - "hash_ip_payload_size": { - "type": "long" - }, - "hash_output_range_max": { - "type": "long" - }, - "hash_output_range_min": { - "type": "long" - }, - "hash_selected_range_max": { - "type": "long" - }, - "hash_selected_range_min": { - "type": "long" - }, - "http_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_message_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_reason_phrase": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_status_code": { - "type": "long" - }, - "http_user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code_ipv4": { - "type": "short" - }, - "icmp_code_ipv6": { - "type": "short" - }, - "icmp_type_code_ipv4": { - "type": "long" - }, - "icmp_type_code_ipv6": { - "type": "long" - }, - "icmp_type_ipv4": { - "type": "short" - }, - "icmp_type_ipv6": { - "type": "short" - }, - "igmp_type": { - "type": "short" - }, - "ignored_data_record_total_count": { - "type": "long" - }, - "ignored_layer2_frame_total_count": { - "type": "long" - }, - "ignored_layer2_octet_total_count": { - "type": "long" - }, - "ignored_octet_total_count": { - "type": "long" - }, - "ignored_packet_total_count": { - "type": "long" - }, - "information_element_data_type": { - "type": "short" - }, - "information_element_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "information_element_id": { - "type": "long" - }, - "information_element_index": { - "type": "long" - }, - "information_element_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "information_element_range_begin": { - "type": "long" - }, - "information_element_range_end": { - "type": "long" - }, - "information_element_semantics": { - "type": "short" - }, - "information_element_units": { - "type": "long" - }, - "ingress_broadcast_packet_total_count": { - "type": "long" - }, - "ingress_interface": { - "type": "long" - }, - "ingress_interface_type": { - "type": "long" - }, - "ingress_multicast_packet_total_count": { - "type": "long" - }, - "ingress_physical_interface": { - "type": "long" - }, - "ingress_unicast_packet_total_count": { - "type": "long" - }, - "ingress_vrfid": { - "type": "long" - }, - "initiator_octets": { - "type": "long" - }, - "initiator_packets": { - "type": "long" - }, - "interface_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "intermediate_process_id": { - "type": "long" - }, - "internal_address_realm": { - "type": "short" - }, - "ip_class_of_service": { - "type": "short" - }, - "ip_diff_serv_code_point": { - "type": "short" - }, - "ip_header_length": { - "type": "short" - }, - "ip_header_packet_section": { - "type": "short" - }, - "ip_next_hop_ipv4_address": { - "type": "ip" - }, - "ip_next_hop_ipv6_address": { - "type": "ip" - }, - "ip_payload_length": { - "type": "long" - }, - "ip_payload_packet_section": { - "type": "short" - }, - "ip_precedence": { - "type": "short" - }, - "ip_sec_spi": { - "type": "long" - }, - "ip_total_length": { - "type": "long" - }, - "ip_ttl": { - "type": "short" - }, - "ip_version": { - "type": "short" - }, - "ipv4_ihl": { - "type": "short" - }, - "ipv4_options": { - "type": "long" - }, - "ipv4_router_sc": { - "type": "ip" - }, - "ipv6_extension_headers": { - "type": "long" - }, - "is_multicast": { - "type": "short" - }, - "layer2_frame_delta_count": { - "type": "long" - }, - "layer2_frame_total_count": { - "type": "long" - }, - "layer2_octet_delta_count": { - "type": "long" - }, - "layer2_octet_delta_sum_of_squares": { - "type": "long" - }, - "layer2_octet_total_count": { - "type": "long" - }, - "layer2_octet_total_sum_of_squares": { - "type": "long" - }, - "layer2_segment_id": { - "type": "long" - }, - "layer2packet_section_data": { - "type": "short" - }, - "layer2packet_section_offset": { - "type": "long" - }, - "layer2packet_section_size": { - "type": "long" - }, - "line_card_id": { - "type": "long" - }, - "lower_ci_limit": { - "type": "double" - }, - "max_bib_entries": { - "type": "long" - }, - "max_entries_per_user": { - "type": "long" - }, - "max_export_seconds": { - "type": "date" - }, - "max_flow_end_microseconds": { - "type": "date" - }, - "max_flow_end_milliseconds": { - "type": "date" - }, - "max_flow_end_nanoseconds": { - "type": "date" - }, - "max_flow_end_seconds": { - "type": "date" - }, - "max_fragments_pending_reassembly": { - "type": "long" - }, - "max_session_entries": { - "type": "long" - }, - "max_subscribers": { - "type": "long" - }, - "maximum_ip_total_length": { - "type": "long" - }, - "maximum_layer2_total_length": { - "type": "long" - }, - "maximum_ttl": { - "type": "short" - }, - "message_md5_checksum": { - "type": "short" - }, - "message_scope": { - "type": "short" - }, - "metering_process_id": { - "type": "long" - }, - "metro_evc_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "metro_evc_type": { - "type": "short" - }, - "mib_capture_time_semantics": { - "type": "short" - }, - "mib_context_engine_id": { - "type": "short" - }, - "mib_context_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_index_indicator": { - "type": "long" - }, - "mib_module_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_identifier": { - "type": "short" - }, - "mib_object_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_syntax": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_value_bits": { - "type": "short" - }, - "mib_object_value_counter": { - "type": "long" - }, - "mib_object_value_gauge": { - "type": "long" - }, - "mib_object_value_integer": { - "type": "long" - }, - "mib_object_value_ip_address": { - "type": "ip" - }, - "mib_object_value_octet_string": { - "type": "short" - }, - "mib_object_value_oid": { - "type": "short" - }, - "mib_object_value_time_ticks": { - "type": "long" - }, - "mib_object_value_unsigned": { - "type": "long" - }, - "mib_sub_identifier": { - "type": "long" - }, - "min_export_seconds": { - "type": "date" - }, - "min_flow_start_microseconds": { - "type": "date" - }, - "min_flow_start_milliseconds": { - "type": "date" - }, - "min_flow_start_nanoseconds": { - "type": "date" - }, - "min_flow_start_seconds": { - "type": "date" - }, - "minimum_ip_total_length": { - "type": "long" - }, - "minimum_layer2_total_length": { - "type": "long" - }, - "minimum_ttl": { - "type": "short" - }, - "mobile_imsi": { - "ignore_above": 1024, - "type": "keyword" - }, - "mobile_msisdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "monitoring_interval_end_milli_seconds": { - "type": "date" - }, - "monitoring_interval_start_milli_seconds": { - "type": "date" - }, - "mpls_label_stack_depth": { - "type": "long" - }, - "mpls_label_stack_length": { - "type": "long" - }, - "mpls_label_stack_section": { - "type": "short" - }, - "mpls_label_stack_section10": { - "type": "short" - }, - "mpls_label_stack_section2": { - "type": "short" - }, - "mpls_label_stack_section3": { - "type": "short" - }, - "mpls_label_stack_section4": { - "type": "short" - }, - "mpls_label_stack_section5": { - "type": "short" - }, - "mpls_label_stack_section6": { - "type": "short" - }, - "mpls_label_stack_section7": { - "type": "short" - }, - "mpls_label_stack_section8": { - "type": "short" - }, - "mpls_label_stack_section9": { - "type": "short" - }, - "mpls_payload_length": { - "type": "long" - }, - "mpls_payload_packet_section": { - "type": "short" - }, - "mpls_top_label_exp": { - "type": "short" - }, - "mpls_top_label_ipv4_address": { - "type": "ip" - }, - "mpls_top_label_ipv6_address": { - "type": "ip" - }, - "mpls_top_label_prefix_length": { - "type": "short" - }, - "mpls_top_label_stack_section": { - "type": "short" - }, - "mpls_top_label_ttl": { - "type": "short" - }, - "mpls_top_label_type": { - "type": "short" - }, - "mpls_vpn_route_distinguisher": { - "type": "short" - }, - "multicast_replication_factor": { - "type": "long" - }, - "nat_event": { - "type": "short" - }, - "nat_instance_id": { - "type": "long" - }, - "nat_originating_address_realm": { - "type": "short" - }, - "nat_pool_id": { - "type": "long" - }, - "nat_pool_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_quota_exceeded_event": { - "type": "long" - }, - "nat_threshold_event": { - "type": "long" - }, - "nat_type": { - "type": "short" - }, - "new_connection_delta_count": { - "type": "long" - }, - "next_header_ipv6": { - "type": "short" - }, - "not_sent_flow_total_count": { - "type": "long" - }, - "not_sent_layer2_octet_total_count": { - "type": "long" - }, - "not_sent_octet_total_count": { - "type": "long" - }, - "not_sent_packet_total_count": { - "type": "long" - }, - "observation_domain_id": { - "type": "long" - }, - "observation_domain_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observation_point_id": { - "type": "long" - }, - "observation_point_type": { - "type": "short" - }, - "observation_time_microseconds": { - "type": "date" - }, - "observation_time_milliseconds": { - "type": "date" - }, - "observation_time_nanoseconds": { - "type": "date" - }, - "observation_time_seconds": { - "type": "date" - }, - "observed_flow_total_count": { - "type": "long" - }, - "octet_delta_count": { - "type": "long" - }, - "octet_delta_sum_of_squares": { - "type": "long" - }, - "octet_total_count": { - "type": "long" - }, - "octet_total_sum_of_squares": { - "type": "long" - }, - "opaque_octets": { - "type": "short" - }, - "original_exporter_ipv4_address": { - "type": "ip" - }, - "original_exporter_ipv6_address": { - "type": "ip" - }, - "original_flows_completed": { - "type": "long" - }, - "original_flows_initiated": { - "type": "long" - }, - "original_flows_present": { - "type": "long" - }, - "original_observation_domain_id": { - "type": "long" - }, - "p2p_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_delta_count": { - "type": "long" - }, - "packet_total_count": { - "type": "long" - }, - "padding_octets": { - "type": "short" - }, - "payload_length_ipv6": { - "type": "long" - }, - "port_id": { - "type": "long" - }, - "port_range_end": { - "type": "long" - }, - "port_range_num_ports": { - "type": "long" - }, - "port_range_start": { - "type": "long" - }, - "port_range_step_size": { - "type": "long" - }, - "post_destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "post_dot1q_customer_vlan_id": { - "type": "long" - }, - "post_dot1q_vlan_id": { - "type": "long" - }, - "post_ip_class_of_service": { - "type": "short" - }, - "post_ip_diff_serv_code_point": { - "type": "short" - }, - "post_ip_precedence": { - "type": "short" - }, - "post_layer2_octet_delta_count": { - "type": "long" - }, - "post_layer2_octet_total_count": { - "type": "long" - }, - "post_mcast_layer2_octet_delta_count": { - "type": "long" - }, - "post_mcast_layer2_octet_total_count": { - "type": "long" - }, - "post_mcast_octet_delta_count": { - "type": "long" - }, - "post_mcast_octet_total_count": { - "type": "long" - }, - "post_mcast_packet_delta_count": { - "type": "long" - }, - "post_mcast_packet_total_count": { - "type": "long" - }, - "post_mpls_top_label_exp": { - "type": "short" - }, - "post_napt_destination_transport_port": { - "type": "long" - }, - "post_napt_source_transport_port": { - "type": "long" - }, - "post_nat_destination_ipv4_address": { - "type": "ip" - }, - "post_nat_destination_ipv6_address": { - "type": "ip" - }, - "post_nat_source_ipv4_address": { - "type": "ip" - }, - "post_nat_source_ipv6_address": { - "type": "ip" - }, - "post_octet_delta_count": { - "type": "long" - }, - "post_octet_total_count": { - "type": "long" - }, - "post_packet_delta_count": { - "type": "long" - }, - "post_packet_total_count": { - "type": "long" - }, - "post_source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "post_vlan_id": { - "type": "long" - }, - "private_enterprise_number": { - "type": "long" - }, - "protocol_identifier": { - "type": "short" - }, - "pseudo_wire_control_word": { - "type": "long" - }, - "pseudo_wire_destination_ipv4_address": { - "type": "ip" - }, - "pseudo_wire_id": { - "type": "long" - }, - "pseudo_wire_type": { - "type": "long" - }, - "relative_error": { - "type": "double" - }, - "responder_octets": { - "type": "long" - }, - "responder_packets": { - "type": "long" - }, - "rfc3550_jitter_microseconds": { - "type": "long" - }, - "rfc3550_jitter_milliseconds": { - "type": "long" - }, - "rfc3550_jitter_nanoseconds": { - "type": "long" - }, - "rtp_sequence_number": { - "type": "long" - }, - "sampler_id": { - "type": "short" - }, - "sampler_mode": { - "type": "short" - }, - "sampler_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sampler_random_interval": { - "type": "long" - }, - "sampling_algorithm": { - "type": "short" - }, - "sampling_flow_interval": { - "type": "long" - }, - "sampling_flow_spacing": { - "type": "long" - }, - "sampling_interval": { - "type": "long" - }, - "sampling_packet_interval": { - "type": "long" - }, - "sampling_packet_space": { - "type": "long" - }, - "sampling_population": { - "type": "long" - }, - "sampling_probability": { - "type": "double" - }, - "sampling_size": { - "type": "long" - }, - "sampling_time_interval": { - "type": "long" - }, - "sampling_time_space": { - "type": "long" - }, - "section_exported_octets": { - "type": "long" - }, - "section_offset": { - "type": "long" - }, - "selection_sequence_id": { - "type": "long" - }, - "selector_algorithm": { - "type": "long" - }, - "selector_id": { - "type": "long" - }, - "selector_id_total_flows_observed": { - "type": "long" - }, - "selector_id_total_flows_selected": { - "type": "long" - }, - "selector_id_total_pkts_observed": { - "type": "long" - }, - "selector_id_total_pkts_selected": { - "type": "long" - }, - "selector_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_scope": { - "type": "short" - }, - "source_ipv4_address": { - "type": "ip" - }, - "source_ipv4_prefix": { - "type": "ip" - }, - "source_ipv4_prefix_length": { - "type": "short" - }, - "source_ipv6_address": { - "type": "ip" - }, - "source_ipv6_prefix": { - "type": "ip" - }, - "source_ipv6_prefix_length": { - "type": "short" - }, - "source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_transport_port": { - "type": "long" - }, - "source_transport_ports_limit": { - "type": "long" - }, - "src_traffic_index": { - "type": "long" - }, - "sta_ipv4_address": { - "type": "ip" - }, - "sta_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "system_init_time_milliseconds": { - "type": "date" - }, - "tcp_ack_total_count": { - "type": "long" - }, - "tcp_acknowledgement_number": { - "type": "long" - }, - "tcp_control_bits": { - "type": "long" - }, - "tcp_destination_port": { - "type": "long" - }, - "tcp_fin_total_count": { - "type": "long" - }, - "tcp_header_length": { - "type": "short" - }, - "tcp_options": { - "type": "long" - }, - "tcp_psh_total_count": { - "type": "long" - }, - "tcp_rst_total_count": { - "type": "long" - }, - "tcp_sequence_number": { - "type": "long" - }, - "tcp_source_port": { - "type": "long" - }, - "tcp_syn_total_count": { - "type": "long" - }, - "tcp_urg_total_count": { - "type": "long" - }, - "tcp_urgent_pointer": { - "type": "long" - }, - "tcp_window_scale": { - "type": "long" - }, - "tcp_window_size": { - "type": "long" - }, - "template_id": { - "type": "long" - }, - "total_length_ipv4": { - "type": "long" - }, - "transport_octet_delta_count": { - "type": "long" - }, - "transport_packet_delta_count": { - "type": "long" - }, - "tunnel_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "udp_destination_port": { - "type": "long" - }, - "udp_message_length": { - "type": "long" - }, - "udp_source_port": { - "type": "long" - }, - "upper_ci_limit": { - "type": "double" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "value_distribution_method": { - "type": "short" - }, - "virtual_station_interface_id": { - "type": "short" - }, - "virtual_station_interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_station_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_station_uuid": { - "type": "short" - }, - "vlan_id": { - "type": "long" - }, - "vpn_identifier": { - "type": "short" - }, - "vr_fname": { - "ignore_above": 1024, - "type": "keyword" - }, - "wlan_channel_id": { - "type": "short" - }, - "wlan_ssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "wtp_mac_address": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json b/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json deleted file mode 100644 index d824294e9..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/suricata.json +++ /dev/null @@ -1,850 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "suricata": { - "properties": { - "eve": { - "properties": { - "alert": { - "properties": { - "affected_product": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "capec_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "created_at": { - "type": "date" - }, - "cve": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v2_base": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v2_temporal": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v3_base": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v3_temporal": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwe_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "deployment": { - "ignore_above": 1024, - "type": "keyword" - }, - "former_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "type": "long" - }, - "hostile": { - "ignore_above": 1024, - "type": "keyword" - }, - "infected": { - "ignore_above": 1024, - "type": "keyword" - }, - "malware": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "type": "flattened" - }, - "mitre_tool_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "performance_impact": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocols": { - "ignore_above": 1024, - "type": "keyword" - }, - "rev": { - "type": "long" - }, - "rule_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "sid": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_id": { - "type": "long" - }, - "signature_severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "updated_at": { - "type": "date" - } - } - }, - "app_proto_expected": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_orig": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_tc": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_ts": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns": { - "properties": { - "id": { - "type": "long" - }, - "rcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "rrname": { - "ignore_above": 1024, - "type": "keyword" - }, - "rrtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "tx_id": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "fileinfo": { - "properties": { - "gaps": { - "type": "boolean" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "stored": { - "type": "boolean" - }, - "tx_id": { - "type": "long" - } - } - }, - "flow": { - "properties": { - "age": { - "type": "long" - }, - "alerted": { - "type": "boolean" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "flow_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "http": { - "properties": { - "http_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "redirect": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "icmp_code": { - "type": "long" - }, - "icmp_type": { - "type": "long" - }, - "in_iface": { - "ignore_above": 1024, - "type": "keyword" - }, - "pcap_cnt": { - "type": "long" - }, - "smtp": { - "properties": { - "helo": { - "ignore_above": 1024, - "type": "keyword" - }, - "mail_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcpt_to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ssh": { - "properties": { - "client": { - "properties": { - "proto_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "proto_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "stats": { - "properties": { - "app_layer": { - "properties": { - "flow": { - "properties": { - "dcerpc_tcp": { - "type": "long" - }, - "dcerpc_udp": { - "type": "long" - }, - "dns_tcp": { - "type": "long" - }, - "dns_udp": { - "type": "long" - }, - "failed_tcp": { - "type": "long" - }, - "failed_udp": { - "type": "long" - }, - "ftp": { - "type": "long" - }, - "http": { - "type": "long" - }, - "imap": { - "type": "long" - }, - "msn": { - "type": "long" - }, - "smb": { - "type": "long" - }, - "smtp": { - "type": "long" - }, - "ssh": { - "type": "long" - }, - "tls": { - "type": "long" - } - } - }, - "tx": { - "properties": { - "dcerpc_tcp": { - "type": "long" - }, - "dcerpc_udp": { - "type": "long" - }, - "dns_tcp": { - "type": "long" - }, - "dns_udp": { - "type": "long" - }, - "ftp": { - "type": "long" - }, - "http": { - "type": "long" - }, - "smb": { - "type": "long" - }, - "smtp": { - "type": "long" - }, - "ssh": { - "type": "long" - }, - "tls": { - "type": "long" - } - } - } - } - }, - "capture": { - "properties": { - "kernel_drops": { - "type": "long" - }, - "kernel_ifdrops": { - "type": "long" - }, - "kernel_packets": { - "type": "long" - } - } - }, - "decoder": { - "properties": { - "avg_pkt_size": { - "type": "long" - }, - "bytes": { - "type": "long" - }, - "dce": { - "properties": { - "pkt_too_small": { - "type": "long" - } - } - }, - "erspan": { - "type": "long" - }, - "ethernet": { - "type": "long" - }, - "gre": { - "type": "long" - }, - "icmpv4": { - "type": "long" - }, - "icmpv6": { - "type": "long" - }, - "ieee8021ah": { - "type": "long" - }, - "invalid": { - "type": "long" - }, - "ipraw": { - "properties": { - "invalid_ip_version": { - "type": "long" - } - } - }, - "ipv4": { - "type": "long" - }, - "ipv4_in_ipv6": { - "type": "long" - }, - "ipv6": { - "type": "long" - }, - "ipv6_in_ipv6": { - "type": "long" - }, - "ltnull": { - "properties": { - "pkt_too_small": { - "type": "long" - }, - "unsupported_type": { - "type": "long" - } - } - }, - "max_pkt_size": { - "type": "long" - }, - "mpls": { - "type": "long" - }, - "null": { - "type": "long" - }, - "pkts": { - "type": "long" - }, - "ppp": { - "type": "long" - }, - "pppoe": { - "type": "long" - }, - "raw": { - "type": "long" - }, - "sctp": { - "type": "long" - }, - "sll": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "teredo": { - "type": "long" - }, - "udp": { - "type": "long" - }, - "vlan": { - "type": "long" - }, - "vlan_qinq": { - "type": "long" - } - } - }, - "defrag": { - "properties": { - "ipv4": { - "properties": { - "fragments": { - "type": "long" - }, - "reassembled": { - "type": "long" - }, - "timeouts": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "fragments": { - "type": "long" - }, - "reassembled": { - "type": "long" - }, - "timeouts": { - "type": "long" - } - } - }, - "max_frag_hits": { - "type": "long" - } - } - }, - "detect": { - "properties": { - "alert": { - "type": "long" - } - } - }, - "dns": { - "properties": { - "memcap_global": { - "type": "long" - }, - "memcap_state": { - "type": "long" - }, - "memuse": { - "type": "long" - } - } - }, - "file_store": { - "properties": { - "open_files": { - "type": "long" - } - } - }, - "flow": { - "properties": { - "emerg_mode_entered": { - "type": "long" - }, - "emerg_mode_over": { - "type": "long" - }, - "icmpv4": { - "type": "long" - }, - "icmpv6": { - "type": "long" - }, - "memcap": { - "type": "long" - }, - "memuse": { - "type": "long" - }, - "spare": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "tcp_reuse": { - "type": "long" - }, - "udp": { - "type": "long" - } - } - }, - "flow_mgr": { - "properties": { - "bypassed_pruned": { - "type": "long" - }, - "closed_pruned": { - "type": "long" - }, - "est_pruned": { - "type": "long" - }, - "flows_checked": { - "type": "long" - }, - "flows_notimeout": { - "type": "long" - }, - "flows_removed": { - "type": "long" - }, - "flows_timeout": { - "type": "long" - }, - "flows_timeout_inuse": { - "type": "long" - }, - "new_pruned": { - "type": "long" - }, - "rows_busy": { - "type": "long" - }, - "rows_checked": { - "type": "long" - }, - "rows_empty": { - "type": "long" - }, - "rows_maxlen": { - "type": "long" - }, - "rows_skipped": { - "type": "long" - } - } - }, - "http": { - "properties": { - "memcap": { - "type": "long" - }, - "memuse": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "insert_data_normal_fail": { - "type": "long" - }, - "insert_data_overlap_fail": { - "type": "long" - }, - "insert_list_fail": { - "type": "long" - }, - "invalid_checksum": { - "type": "long" - }, - "memuse": { - "type": "long" - }, - "no_flow": { - "type": "long" - }, - "overlap": { - "type": "long" - }, - "overlap_diff_data": { - "type": "long" - }, - "pseudo": { - "type": "long" - }, - "pseudo_failed": { - "type": "long" - }, - "reassembly_gap": { - "type": "long" - }, - "reassembly_memuse": { - "type": "long" - }, - "rst": { - "type": "long" - }, - "segment_memcap_drop": { - "type": "long" - }, - "sessions": { - "type": "long" - }, - "ssn_memcap_drop": { - "type": "long" - }, - "stream_depth_reached": { - "type": "long" - }, - "syn": { - "type": "long" - }, - "synack": { - "type": "long" - } - } - }, - "uptime": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "ack": { - "type": "boolean" - }, - "fin": { - "type": "boolean" - }, - "psh": { - "type": "boolean" - }, - "rst": { - "type": "boolean" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "syn": { - "type": "boolean" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags_tc": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags_ts": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tls": { - "properties": { - "fingerprint": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuerdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ja3s": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "notafter": { - "type": "date" - }, - "notbefore": { - "type": "date" - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_resumed": { - "type": "boolean" - }, - "sni": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tx_id": { - "type": "long" - } - } - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json b/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json deleted file mode 100644 index 720199001..000000000 --- a/salt/elasticsearch/templates/component/ecs/newcomponents/zeek.json +++ /dev/null @@ -1,2279 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "zeek": { - "properties": { - "capture_loss": { - "properties": { - "acks": { - "type": "long" - }, - "gaps": { - "type": "long" - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "percent_lost": { - "type": "double" - }, - "ts_delta": { - "type": "long" - } - } - }, - "connection": { - "properties": { - "history": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp": { - "properties": { - "code": { - "type": "long" - }, - "type": { - "type": "long" - } - } - }, - "inner_vlan": { - "type": "long" - }, - "local_orig": { - "type": "boolean" - }, - "local_resp": { - "type": "boolean" - }, - "missed_bytes": { - "type": "long" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "type": "long" - } - } - }, - "dce_rpc": { - "properties": { - "endpoint": { - "ignore_above": 1024, - "type": "keyword" - }, - "named_pipe": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "rtt": { - "type": "long" - } - } - }, - "dhcp": { - "properties": { - "address": { - "properties": { - "assigned": { - "type": "ip" - }, - "client": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "requested": { - "type": "ip" - }, - "server": { - "type": "ip" - } - } - }, - "client_fqdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "double" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "properties": { - "circuit": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "subscriber": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "lease_time": { - "type": "long" - }, - "msg": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "type": "ip" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "types": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "software": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dnp3": { - "properties": { - "function": { - "properties": { - "reply": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - } - } - }, - "dns": { - "properties": { - "AA": { - "type": "boolean" - }, - "RA": { - "type": "boolean" - }, - "RD": { - "type": "boolean" - }, - "TC": { - "type": "boolean" - }, - "TTLs": { - "type": "double" - }, - "answers": { - "ignore_above": 1024, - "type": "keyword" - }, - "qclass": { - "type": "long" - }, - "qclass_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "qtype": { - "type": "long" - }, - "qtype_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcode": { - "type": "long" - }, - "rcode_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rejected": { - "type": "boolean" - }, - "rtt": { - "type": "double" - }, - "saw_query": { - "type": "boolean" - }, - "saw_reply": { - "type": "boolean" - }, - "total_answers": { - "type": "long" - }, - "total_replies": { - "type": "long" - }, - "trans_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dpd": { - "properties": { - "analyzer": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_segment": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "files": { - "properties": { - "analyzers": { - "ignore_above": 1024, - "type": "keyword" - }, - "depth": { - "type": "long" - }, - "duration": { - "type": "double" - }, - "entropy": { - "type": "double" - }, - "extracted": { - "ignore_above": 1024, - "type": "keyword" - }, - "extracted_cutoff": { - "type": "boolean" - }, - "extracted_size": { - "type": "long" - }, - "filename": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_orig": { - "type": "boolean" - }, - "local_orig": { - "type": "boolean" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "missing_bytes": { - "type": "long" - }, - "overflow_bytes": { - "type": "long" - }, - "parent_fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "rx_host": { - "type": "ip" - }, - "seen_bytes": { - "type": "long" - }, - "session_ids": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "timedout": { - "type": "boolean" - }, - "total_bytes": { - "type": "long" - }, - "tx_host": { - "type": "ip" - } - } - }, - "ftp": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "capture_password": { - "type": "boolean" - }, - "cmdarg": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "seq": { - "type": "long" - } - } - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "data_channel": { - "properties": { - "originating_host": { - "type": "ip" - }, - "passive": { - "type": "boolean" - }, - "response_host": { - "type": "ip" - }, - "response_port": { - "type": "long" - } - } - }, - "file": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - }, - "last_auth_requested": { - "ignore_above": 1024, - "type": "keyword" - }, - "passive": { - "type": "boolean" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "pending_commands": { - "type": "long" - }, - "reply": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http": { - "properties": { - "captured_password": { - "type": "boolean" - }, - "client_header_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "info_code": { - "type": "long" - }, - "info_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_filenames": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_mime_depth": { - "type": "long" - }, - "orig_mime_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxied": { - "ignore_above": 1024, - "type": "keyword" - }, - "range_request": { - "type": "boolean" - }, - "resp_filenames": { - "ignore_above": 1024, - "type": "keyword" - }, - "resp_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "resp_mime_depth": { - "type": "long" - }, - "resp_mime_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_header_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "trans_depth": { - "type": "long" - } - } - }, - "intel": { - "properties": { - "file_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "matched": { - "ignore_above": 1024, - "type": "keyword" - }, - "seen": { - "properties": { - "conn": { - "ignore_above": 1024, - "type": "keyword" - }, - "f": { - "type": "object" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "where": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sources": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "irc": { - "properties": { - "addl": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "dcc": { - "properties": { - "file": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "nick": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kerberos": { - "properties": { - "cert": { - "properties": { - "client": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "forwardable": { - "type": "boolean" - }, - "renewable": { - "type": "boolean" - }, - "request_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "ignore_above": 1024, - "type": "keyword" - }, - "success": { - "type": "boolean" - }, - "ticket": { - "properties": { - "auth": { - "ignore_above": 1024, - "type": "keyword" - }, - "new": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "valid": { - "properties": { - "days": { - "type": "long" - }, - "from": { - "type": "date" - }, - "until": { - "type": "date" - } - } - } - } - }, - "modbus": { - "properties": { - "exception": { - "ignore_above": 1024, - "type": "keyword" - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - }, - "track_address": { - "type": "long" - } - } - }, - "mysql": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "response": { - "ignore_above": 1024, - "type": "keyword" - }, - "rows": { - "type": "long" - }, - "success": { - "type": "boolean" - } - } - }, - "notice": { - "properties": { - "actions": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped": { - "type": "boolean" - }, - "email_body_sections": { - "norms": false, - "type": "text" - }, - "email_delay_tokens": { - "ignore_above": 1024, - "type": "keyword" - }, - "false": { - "type": "long" - }, - "ffile": { - "properties": { - "total_bytes": { - "type": "long" - } - } - }, - "file": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_orig": { - "type": "boolean" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "missing_bytes": { - "type": "long" - }, - "overflow_bytes": { - "type": "long" - }, - "parent_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "seen_bytes": { - "type": "long" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "note": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_descr": { - "norms": false, - "type": "text" - }, - "peer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub": { - "ignore_above": 1024, - "type": "keyword" - }, - "suppress_for": { - "type": "double" - } - } - }, - "ntlm": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "properties": { - "name": { - "properties": { - "dns": { - "ignore_above": 1024, - "type": "keyword" - }, - "netbios": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "success": { - "type": "boolean" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ntp": { - "properties": { - "mode": { - "type": "long" - }, - "num_exts": { - "type": "long" - }, - "org_time": { - "type": "date" - }, - "poll": { - "type": "double" - }, - "precision": { - "type": "double" - }, - "rec_time": { - "type": "date" - }, - "ref_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ref_time": { - "type": "date" - }, - "root_delay": { - "type": "double" - }, - "root_disp": { - "type": "double" - }, - "stratum": { - "type": "long" - }, - "version": { - "type": "long" - }, - "xmt_time": { - "type": "date" - } - } - }, - "ocsp": { - "properties": { - "file_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "revoke": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "time": { - "type": "date" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "update": { - "properties": { - "next": { - "type": "date" - }, - "this": { - "type": "date" - } - } - } - } - }, - "pe": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_time": { - "type": "date" - }, - "has_cert_table": { - "type": "boolean" - }, - "has_debug_data": { - "type": "boolean" - }, - "has_export_table": { - "type": "boolean" - }, - "has_import_table": { - "type": "boolean" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_64bit": { - "type": "boolean" - }, - "is_exe": { - "type": "boolean" - }, - "machine": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "ignore_above": 1024, - "type": "keyword" - }, - "section_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "subsystem": { - "ignore_above": 1024, - "type": "keyword" - }, - "uses_aslr": { - "type": "boolean" - }, - "uses_code_integrity": { - "type": "boolean" - }, - "uses_dep": { - "type": "boolean" - }, - "uses_seh": { - "type": "boolean" - } - } - }, - "radius": { - "properties": { - "connect_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "framed_addr": { - "type": "ip" - }, - "logged": { - "type": "boolean" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "reply_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rdp": { - "properties": { - "cert": { - "properties": { - "count": { - "type": "long" - }, - "permanent": { - "type": "boolean" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "desktop": { - "properties": { - "color_depth": { - "ignore_above": 1024, - "type": "keyword" - }, - "height": { - "type": "long" - }, - "width": { - "type": "long" - } - } - }, - "done": { - "type": "boolean" - }, - "encryption": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "keyboard_layout": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl": { - "type": "boolean" - } - } - }, - "rfb": { - "properties": { - "auth": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "success": { - "type": "boolean" - } - } - }, - "desktop_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "height": { - "type": "long" - }, - "share_flag": { - "type": "boolean" - }, - "version": { - "properties": { - "client": { - "properties": { - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "width": { - "type": "long" - } - } - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature": { - "properties": { - "event_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_count": { - "type": "long" - }, - "note": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig_count": { - "type": "long" - }, - "sig_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sip": { - "properties": { - "call_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "date": { - "ignore_above": 1024, - "type": "keyword" - }, - "reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "properties": { - "body_length": { - "type": "long" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body_length": { - "type": "long" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sequence": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "status": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_depth": { - "type": "long" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "warning": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_cmd": { - "properties": { - "argument": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "rx": { - "type": "ip" - }, - "tx": { - "type": "ip" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rtt": { - "type": "double" - }, - "smb1_offered_dialects": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb2_offered_dialects": { - "type": "long" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_command": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_files": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "fid": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "previous_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "times": { - "properties": { - "accessed": { - "type": "date" - }, - "changed": { - "type": "date" - }, - "created": { - "type": "date" - }, - "modified": { - "type": "date" - } - } - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_mapping": { - "properties": { - "native_file_system": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "ignore_above": 1024, - "type": "keyword" - }, - "share_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smtp": { - "properties": { - "cc": { - "ignore_above": 1024, - "type": "keyword" - }, - "date": { - "type": "date" - }, - "first_received": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "has_client_activity": { - "type": "boolean" - }, - "helo": { - "ignore_above": 1024, - "type": "keyword" - }, - "in_reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_webmail": { - "type": "boolean" - }, - "last_reply": { - "ignore_above": 1024, - "type": "keyword" - }, - "mail_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "type": "ip" - }, - "process_received_from": { - "type": "boolean" - }, - "rcpt_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "second_received": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "tls": { - "type": "boolean" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_depth": { - "type": "long" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "x_originating_ip": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "snmp": { - "properties": { - "community": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_string": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "double" - }, - "get": { - "properties": { - "bulk_requests": { - "type": "long" - }, - "requests": { - "type": "long" - }, - "responses": { - "type": "long" - } - } - }, - "set": { - "properties": { - "requests": { - "type": "long" - } - } - }, - "up_since": { - "type": "date" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "socks": { - "properties": { - "bound": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - } - } - }, - "capture_password": { - "type": "boolean" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - } - } - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - } - } - }, - "ssh": { - "properties": { - "algorithm": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "compression": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "key_exchange": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "auth": { - "properties": { - "attempts": { - "type": "long" - }, - "success": { - "type": "boolean" - } - } - }, - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - } - } - }, - "ssl": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "cert_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_chain_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "last_alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "cert_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_chain_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "validation": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "stats": { - "properties": { - "bytes": { - "properties": { - "received": { - "type": "long" - } - } - }, - "connections": { - "properties": { - "icmp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "udp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - } - } - }, - "dns_requests": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "events": { - "properties": { - "processed": { - "type": "long" - }, - "queued": { - "type": "long" - } - } - }, - "files": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "memory": { - "type": "long" - }, - "packets": { - "properties": { - "dropped": { - "type": "long" - }, - "processed": { - "type": "long" - }, - "received": { - "type": "long" - } - } - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "reassembly_size": { - "properties": { - "file": { - "type": "long" - }, - "frag": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "unknown": { - "type": "long" - } - } - }, - "timers": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "timestamp_lag": { - "type": "long" - } - } - }, - "syslog": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tunnel": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "weird": { - "properties": { - "additional_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice": { - "type": "boolean" - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "basic_constraints": { - "properties": { - "certificate_authority": { - "type": "boolean" - }, - "path_length": { - "type": "long" - } - } - }, - "certificate": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "exponent": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "key": { - "properties": { - "algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "length": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "valid": { - "properties": { - "from": { - "type": "date" - }, - "until": { - "type": "date" - } - } - }, - "version": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_cert": { - "type": "boolean" - }, - "san": { - "properties": { - "dns": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "other_fields": { - "type": "boolean" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json deleted file mode 100644 index a8ed3889d..000000000 --- a/salt/elasticsearch/templates/component/ecs/snyk.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "snyk": { - "properties": { - "audit": { - "properties": { - "content": { - "type": "flattened" - }, - "org_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "projects": { - "type": "flattened" - }, - "related": { - "properties": { - "projects": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerabilities": { - "properties": { - "credit": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss3": { - "ignore_above": 1024, - "type": "keyword" - }, - "disclosure_time": { - "type": "date" - }, - "exploit_maturity": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifiers": { - "properties": { - "alternative": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwe": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "introduced_date": { - "type": "date" - }, - "is_fixed": { - "type": "boolean" - }, - "is_ignored": { - "type": "boolean" - }, - "is_patchable": { - "type": "boolean" - }, - "is_patched": { - "type": "boolean" - }, - "is_pinnable": { - "type": "boolean" - }, - "is_upgradable": { - "type": "boolean" - }, - "jira_issue_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_severity": { - "type": "long" - }, - "package": { - "ignore_above": 1024, - "type": "keyword" - }, - "package_manager": { - "ignore_above": 1024, - "type": "keyword" - }, - "patches": { - "type": "flattened" - }, - "priority_score": { - "type": "long" - }, - "publication_time": { - "type": "date" - }, - "reachability": { - "ignore_above": 1024, - "type": "keyword" - }, - "semver": { - "type": "flattened" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "unique_severities_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } -} From f9a50d33c3dc3789d052ddfae7e534dc23309e2f Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 8 Feb 2022 13:17:23 +0000 Subject: [PATCH 5/5] Add new templates --- .../component/ecs/elasticsearch.json | 25 + .../templates/component/ecs/kibana.json | 75 + .../templates/component/ecs/logstash.json | 99 + .../templates/component/ecs/netflow.json | 1423 ++++++++++ .../templates/component/ecs/suricata.json | 850 ++++++ .../templates/component/ecs/zeek.json | 2279 +++++++++++++++++ 6 files changed, 4751 insertions(+) create mode 100644 salt/elasticsearch/templates/component/ecs/elasticsearch.json create mode 100644 salt/elasticsearch/templates/component/ecs/kibana.json create mode 100644 salt/elasticsearch/templates/component/ecs/logstash.json create mode 100644 salt/elasticsearch/templates/component/ecs/netflow.json create mode 100644 salt/elasticsearch/templates/component/ecs/suricata.json create mode 100644 salt/elasticsearch/templates/component/ecs/zeek.json diff --git a/salt/elasticsearch/templates/component/ecs/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/elasticsearch.json new file mode 100644 index 000000000..f409ed95a --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/elasticsearch.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "labels": { + "type": "object" + }, + "message": { + "type": "match_only_text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/kibana.json b/salt/elasticsearch/templates/component/ecs/kibana.json new file mode 100644 index 000000000..d1ea67de7 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/kibana.json @@ -0,0 +1,75 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "kibana": { + "properties": { + "add_to_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delete_from_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "meta": { + "type": "object" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lookup_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_object": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "space_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/logstash.json b/salt/elasticsearch/templates/component/ecs/logstash.json new file mode 100644 index 000000000..ecfb17551 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/logstash.json @@ -0,0 +1,99 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "logstash": { + "properties": { + "log": { + "properties": { + "log_event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "event": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params_object": { + "type": "object" + }, + "plugin_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "took_in_millis": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/netflow.json b/salt/elasticsearch/templates/component/ecs/netflow.json new file mode 100644 index 000000000..10f34c3d4 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/netflow.json @@ -0,0 +1,1423 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "netflow": { + "properties": { + "absolute_error": { + "type": "double" + }, + "address_pool_high_threshold": { + "type": "long" + }, + "address_pool_low_threshold": { + "type": "long" + }, + "address_port_mapping_high_threshold": { + "type": "long" + }, + "address_port_mapping_low_threshold": { + "type": "long" + }, + "address_port_mapping_per_user_high_threshold": { + "type": "long" + }, + "anonymization_flags": { + "type": "long" + }, + "anonymization_technique": { + "type": "long" + }, + "application_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_id": { + "type": "short" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bgp_destination_as_number": { + "type": "long" + }, + "bgp_next_adjacent_as_number": { + "type": "long" + }, + "bgp_next_hop_ipv4_address": { + "type": "ip" + }, + "bgp_next_hop_ipv6_address": { + "type": "ip" + }, + "bgp_prev_adjacent_as_number": { + "type": "long" + }, + "bgp_source_as_number": { + "type": "long" + }, + "bgp_validity_state": { + "type": "short" + }, + "biflow_direction": { + "type": "short" + }, + "class_id": { + "type": "long" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_engine_id": { + "type": "short" + }, + "collection_time_milliseconds": { + "type": "date" + }, + "collector_certificate": { + "type": "short" + }, + "collector_ipv4_address": { + "type": "ip" + }, + "collector_ipv6_address": { + "type": "ip" + }, + "collector_transport_port": { + "type": "long" + }, + "common_properties_id": { + "type": "long" + }, + "confidence_level": { + "type": "double" + }, + "connection_sum_duration_seconds": { + "type": "long" + }, + "connection_transaction_id": { + "type": "long" + }, + "data_link_frame_section": { + "type": "short" + }, + "data_link_frame_size": { + "type": "long" + }, + "data_link_frame_type": { + "type": "long" + }, + "data_records_reliability": { + "type": "boolean" + }, + "delta_flow_count": { + "type": "long" + }, + "destination_ipv4_address": { + "type": "ip" + }, + "destination_ipv4_prefix": { + "type": "ip" + }, + "destination_ipv4_prefix_length": { + "type": "short" + }, + "destination_ipv6_address": { + "type": "ip" + }, + "destination_ipv6_prefix": { + "type": "ip" + }, + "destination_ipv6_prefix_length": { + "type": "short" + }, + "destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_transport_port": { + "type": "long" + }, + "digest_hash_value": { + "type": "long" + }, + "distinct_count_of_destination_ip_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv4_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv6_address": { + "type": "long" + }, + "distinct_count_of_source_ip_address": { + "type": "long" + }, + "distinct_count_of_source_ipv4_address": { + "type": "long" + }, + "distinct_count_of_source_ipv6_address": { + "type": "long" + }, + "dot1q_customer_dei": { + "type": "boolean" + }, + "dot1q_customer_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_priority": { + "type": "short" + }, + "dot1q_customer_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_vlan_id": { + "type": "long" + }, + "dot1q_dei": { + "type": "boolean" + }, + "dot1q_priority": { + "type": "short" + }, + "dot1q_service_instance_id": { + "type": "long" + }, + "dot1q_service_instance_priority": { + "type": "short" + }, + "dot1q_service_instance_tag": { + "type": "short" + }, + "dot1q_vlan_id": { + "type": "long" + }, + "dropped_layer2_octet_delta_count": { + "type": "long" + }, + "dropped_layer2_octet_total_count": { + "type": "long" + }, + "dropped_octet_delta_count": { + "type": "long" + }, + "dropped_octet_total_count": { + "type": "long" + }, + "dropped_packet_delta_count": { + "type": "long" + }, + "dropped_packet_total_count": { + "type": "long" + }, + "dst_traffic_index": { + "type": "long" + }, + "egress_broadcast_packet_total_count": { + "type": "long" + }, + "egress_interface": { + "type": "long" + }, + "egress_interface_type": { + "type": "long" + }, + "egress_physical_interface": { + "type": "long" + }, + "egress_unicast_packet_total_count": { + "type": "long" + }, + "egress_vrfid": { + "type": "long" + }, + "encrypted_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine_id": { + "type": "short" + }, + "engine_type": { + "type": "short" + }, + "ethernet_header_length": { + "type": "short" + }, + "ethernet_payload_length": { + "type": "long" + }, + "ethernet_total_length": { + "type": "long" + }, + "ethernet_type": { + "type": "long" + }, + "export_interface": { + "type": "long" + }, + "export_protocol_version": { + "type": "short" + }, + "export_sctp_stream_id": { + "type": "long" + }, + "export_transport_protocol": { + "type": "short" + }, + "exported_flow_record_total_count": { + "type": "long" + }, + "exported_message_total_count": { + "type": "long" + }, + "exported_octet_total_count": { + "type": "long" + }, + "exporter": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_id": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "uptime_millis": { + "type": "long" + }, + "version": { + "type": "long" + } + } + }, + "exporter_certificate": { + "type": "short" + }, + "exporter_ipv4_address": { + "type": "ip" + }, + "exporter_ipv6_address": { + "type": "ip" + }, + "exporter_transport_port": { + "type": "long" + }, + "exporting_process_id": { + "type": "long" + }, + "external_address_realm": { + "type": "short" + }, + "firewall_event": { + "type": "short" + }, + "flags_and_sampler_id": { + "type": "long" + }, + "flow_active_timeout": { + "type": "long" + }, + "flow_direction": { + "type": "short" + }, + "flow_duration_microseconds": { + "type": "long" + }, + "flow_duration_milliseconds": { + "type": "long" + }, + "flow_end_delta_microseconds": { + "type": "long" + }, + "flow_end_microseconds": { + "type": "date" + }, + "flow_end_milliseconds": { + "type": "date" + }, + "flow_end_nanoseconds": { + "type": "date" + }, + "flow_end_reason": { + "type": "short" + }, + "flow_end_seconds": { + "type": "date" + }, + "flow_end_sys_up_time": { + "type": "long" + }, + "flow_id": { + "type": "long" + }, + "flow_idle_timeout": { + "type": "long" + }, + "flow_key_indicator": { + "type": "long" + }, + "flow_label_ipv6": { + "type": "long" + }, + "flow_sampling_time_interval": { + "type": "long" + }, + "flow_sampling_time_spacing": { + "type": "long" + }, + "flow_selected_flow_delta_count": { + "type": "long" + }, + "flow_selected_octet_delta_count": { + "type": "long" + }, + "flow_selected_packet_delta_count": { + "type": "long" + }, + "flow_selector_algorithm": { + "type": "long" + }, + "flow_start_delta_microseconds": { + "type": "long" + }, + "flow_start_microseconds": { + "type": "date" + }, + "flow_start_milliseconds": { + "type": "date" + }, + "flow_start_nanoseconds": { + "type": "date" + }, + "flow_start_seconds": { + "type": "date" + }, + "flow_start_sys_up_time": { + "type": "long" + }, + "forwarding_status": { + "type": "short" + }, + "fragment_flags": { + "type": "short" + }, + "fragment_identification": { + "type": "long" + }, + "fragment_offset": { + "type": "long" + }, + "global_address_mapping_high_threshold": { + "type": "long" + }, + "gre_key": { + "type": "long" + }, + "hash_digest_output": { + "type": "boolean" + }, + "hash_flow_domain": { + "type": "long" + }, + "hash_initialiser_value": { + "type": "long" + }, + "hash_ip_payload_offset": { + "type": "long" + }, + "hash_ip_payload_size": { + "type": "long" + }, + "hash_output_range_max": { + "type": "long" + }, + "hash_output_range_min": { + "type": "long" + }, + "hash_selected_range_max": { + "type": "long" + }, + "hash_selected_range_min": { + "type": "long" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_message_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status_code": { + "type": "long" + }, + "http_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code_ipv4": { + "type": "short" + }, + "icmp_code_ipv6": { + "type": "short" + }, + "icmp_type_code_ipv4": { + "type": "long" + }, + "icmp_type_code_ipv6": { + "type": "long" + }, + "icmp_type_ipv4": { + "type": "short" + }, + "icmp_type_ipv6": { + "type": "short" + }, + "igmp_type": { + "type": "short" + }, + "ignored_data_record_total_count": { + "type": "long" + }, + "ignored_layer2_frame_total_count": { + "type": "long" + }, + "ignored_layer2_octet_total_count": { + "type": "long" + }, + "ignored_octet_total_count": { + "type": "long" + }, + "ignored_packet_total_count": { + "type": "long" + }, + "information_element_data_type": { + "type": "short" + }, + "information_element_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_id": { + "type": "long" + }, + "information_element_index": { + "type": "long" + }, + "information_element_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_range_begin": { + "type": "long" + }, + "information_element_range_end": { + "type": "long" + }, + "information_element_semantics": { + "type": "short" + }, + "information_element_units": { + "type": "long" + }, + "ingress_broadcast_packet_total_count": { + "type": "long" + }, + "ingress_interface": { + "type": "long" + }, + "ingress_interface_type": { + "type": "long" + }, + "ingress_multicast_packet_total_count": { + "type": "long" + }, + "ingress_physical_interface": { + "type": "long" + }, + "ingress_unicast_packet_total_count": { + "type": "long" + }, + "ingress_vrfid": { + "type": "long" + }, + "initiator_octets": { + "type": "long" + }, + "initiator_packets": { + "type": "long" + }, + "interface_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "intermediate_process_id": { + "type": "long" + }, + "internal_address_realm": { + "type": "short" + }, + "ip_class_of_service": { + "type": "short" + }, + "ip_diff_serv_code_point": { + "type": "short" + }, + "ip_header_length": { + "type": "short" + }, + "ip_header_packet_section": { + "type": "short" + }, + "ip_next_hop_ipv4_address": { + "type": "ip" + }, + "ip_next_hop_ipv6_address": { + "type": "ip" + }, + "ip_payload_length": { + "type": "long" + }, + "ip_payload_packet_section": { + "type": "short" + }, + "ip_precedence": { + "type": "short" + }, + "ip_sec_spi": { + "type": "long" + }, + "ip_total_length": { + "type": "long" + }, + "ip_ttl": { + "type": "short" + }, + "ip_version": { + "type": "short" + }, + "ipv4_ihl": { + "type": "short" + }, + "ipv4_options": { + "type": "long" + }, + "ipv4_router_sc": { + "type": "ip" + }, + "ipv6_extension_headers": { + "type": "long" + }, + "is_multicast": { + "type": "short" + }, + "layer2_frame_delta_count": { + "type": "long" + }, + "layer2_frame_total_count": { + "type": "long" + }, + "layer2_octet_delta_count": { + "type": "long" + }, + "layer2_octet_delta_sum_of_squares": { + "type": "long" + }, + "layer2_octet_total_count": { + "type": "long" + }, + "layer2_octet_total_sum_of_squares": { + "type": "long" + }, + "layer2_segment_id": { + "type": "long" + }, + "layer2packet_section_data": { + "type": "short" + }, + "layer2packet_section_offset": { + "type": "long" + }, + "layer2packet_section_size": { + "type": "long" + }, + "line_card_id": { + "type": "long" + }, + "lower_ci_limit": { + "type": "double" + }, + "max_bib_entries": { + "type": "long" + }, + "max_entries_per_user": { + "type": "long" + }, + "max_export_seconds": { + "type": "date" + }, + "max_flow_end_microseconds": { + "type": "date" + }, + "max_flow_end_milliseconds": { + "type": "date" + }, + "max_flow_end_nanoseconds": { + "type": "date" + }, + "max_flow_end_seconds": { + "type": "date" + }, + "max_fragments_pending_reassembly": { + "type": "long" + }, + "max_session_entries": { + "type": "long" + }, + "max_subscribers": { + "type": "long" + }, + "maximum_ip_total_length": { + "type": "long" + }, + "maximum_layer2_total_length": { + "type": "long" + }, + "maximum_ttl": { + "type": "short" + }, + "message_md5_checksum": { + "type": "short" + }, + "message_scope": { + "type": "short" + }, + "metering_process_id": { + "type": "long" + }, + "metro_evc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "metro_evc_type": { + "type": "short" + }, + "mib_capture_time_semantics": { + "type": "short" + }, + "mib_context_engine_id": { + "type": "short" + }, + "mib_context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_index_indicator": { + "type": "long" + }, + "mib_module_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_identifier": { + "type": "short" + }, + "mib_object_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_syntax": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_value_bits": { + "type": "short" + }, + "mib_object_value_counter": { + "type": "long" + }, + "mib_object_value_gauge": { + "type": "long" + }, + "mib_object_value_integer": { + "type": "long" + }, + "mib_object_value_ip_address": { + "type": "ip" + }, + "mib_object_value_octet_string": { + "type": "short" + }, + "mib_object_value_oid": { + "type": "short" + }, + "mib_object_value_time_ticks": { + "type": "long" + }, + "mib_object_value_unsigned": { + "type": "long" + }, + "mib_sub_identifier": { + "type": "long" + }, + "min_export_seconds": { + "type": "date" + }, + "min_flow_start_microseconds": { + "type": "date" + }, + "min_flow_start_milliseconds": { + "type": "date" + }, + "min_flow_start_nanoseconds": { + "type": "date" + }, + "min_flow_start_seconds": { + "type": "date" + }, + "minimum_ip_total_length": { + "type": "long" + }, + "minimum_layer2_total_length": { + "type": "long" + }, + "minimum_ttl": { + "type": "short" + }, + "mobile_imsi": { + "ignore_above": 1024, + "type": "keyword" + }, + "mobile_msisdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitoring_interval_end_milli_seconds": { + "type": "date" + }, + "monitoring_interval_start_milli_seconds": { + "type": "date" + }, + "mpls_label_stack_depth": { + "type": "long" + }, + "mpls_label_stack_length": { + "type": "long" + }, + "mpls_label_stack_section": { + "type": "short" + }, + "mpls_label_stack_section10": { + "type": "short" + }, + "mpls_label_stack_section2": { + "type": "short" + }, + "mpls_label_stack_section3": { + "type": "short" + }, + "mpls_label_stack_section4": { + "type": "short" + }, + "mpls_label_stack_section5": { + "type": "short" + }, + "mpls_label_stack_section6": { + "type": "short" + }, + "mpls_label_stack_section7": { + "type": "short" + }, + "mpls_label_stack_section8": { + "type": "short" + }, + "mpls_label_stack_section9": { + "type": "short" + }, + "mpls_payload_length": { + "type": "long" + }, + "mpls_payload_packet_section": { + "type": "short" + }, + "mpls_top_label_exp": { + "type": "short" + }, + "mpls_top_label_ipv4_address": { + "type": "ip" + }, + "mpls_top_label_ipv6_address": { + "type": "ip" + }, + "mpls_top_label_prefix_length": { + "type": "short" + }, + "mpls_top_label_stack_section": { + "type": "short" + }, + "mpls_top_label_ttl": { + "type": "short" + }, + "mpls_top_label_type": { + "type": "short" + }, + "mpls_vpn_route_distinguisher": { + "type": "short" + }, + "multicast_replication_factor": { + "type": "long" + }, + "nat_event": { + "type": "short" + }, + "nat_instance_id": { + "type": "long" + }, + "nat_originating_address_realm": { + "type": "short" + }, + "nat_pool_id": { + "type": "long" + }, + "nat_pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_quota_exceeded_event": { + "type": "long" + }, + "nat_threshold_event": { + "type": "long" + }, + "nat_type": { + "type": "short" + }, + "new_connection_delta_count": { + "type": "long" + }, + "next_header_ipv6": { + "type": "short" + }, + "not_sent_flow_total_count": { + "type": "long" + }, + "not_sent_layer2_octet_total_count": { + "type": "long" + }, + "not_sent_octet_total_count": { + "type": "long" + }, + "not_sent_packet_total_count": { + "type": "long" + }, + "observation_domain_id": { + "type": "long" + }, + "observation_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observation_point_id": { + "type": "long" + }, + "observation_point_type": { + "type": "short" + }, + "observation_time_microseconds": { + "type": "date" + }, + "observation_time_milliseconds": { + "type": "date" + }, + "observation_time_nanoseconds": { + "type": "date" + }, + "observation_time_seconds": { + "type": "date" + }, + "observed_flow_total_count": { + "type": "long" + }, + "octet_delta_count": { + "type": "long" + }, + "octet_delta_sum_of_squares": { + "type": "long" + }, + "octet_total_count": { + "type": "long" + }, + "octet_total_sum_of_squares": { + "type": "long" + }, + "opaque_octets": { + "type": "short" + }, + "original_exporter_ipv4_address": { + "type": "ip" + }, + "original_exporter_ipv6_address": { + "type": "ip" + }, + "original_flows_completed": { + "type": "long" + }, + "original_flows_initiated": { + "type": "long" + }, + "original_flows_present": { + "type": "long" + }, + "original_observation_domain_id": { + "type": "long" + }, + "p2p_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_delta_count": { + "type": "long" + }, + "packet_total_count": { + "type": "long" + }, + "padding_octets": { + "type": "short" + }, + "payload_length_ipv6": { + "type": "long" + }, + "port_id": { + "type": "long" + }, + "port_range_end": { + "type": "long" + }, + "port_range_num_ports": { + "type": "long" + }, + "port_range_start": { + "type": "long" + }, + "port_range_step_size": { + "type": "long" + }, + "post_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_dot1q_customer_vlan_id": { + "type": "long" + }, + "post_dot1q_vlan_id": { + "type": "long" + }, + "post_ip_class_of_service": { + "type": "short" + }, + "post_ip_diff_serv_code_point": { + "type": "short" + }, + "post_ip_precedence": { + "type": "short" + }, + "post_layer2_octet_delta_count": { + "type": "long" + }, + "post_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_layer2_octet_delta_count": { + "type": "long" + }, + "post_mcast_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_octet_delta_count": { + "type": "long" + }, + "post_mcast_octet_total_count": { + "type": "long" + }, + "post_mcast_packet_delta_count": { + "type": "long" + }, + "post_mcast_packet_total_count": { + "type": "long" + }, + "post_mpls_top_label_exp": { + "type": "short" + }, + "post_napt_destination_transport_port": { + "type": "long" + }, + "post_napt_source_transport_port": { + "type": "long" + }, + "post_nat_destination_ipv4_address": { + "type": "ip" + }, + "post_nat_destination_ipv6_address": { + "type": "ip" + }, + "post_nat_source_ipv4_address": { + "type": "ip" + }, + "post_nat_source_ipv6_address": { + "type": "ip" + }, + "post_octet_delta_count": { + "type": "long" + }, + "post_octet_total_count": { + "type": "long" + }, + "post_packet_delta_count": { + "type": "long" + }, + "post_packet_total_count": { + "type": "long" + }, + "post_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_vlan_id": { + "type": "long" + }, + "private_enterprise_number": { + "type": "long" + }, + "protocol_identifier": { + "type": "short" + }, + "pseudo_wire_control_word": { + "type": "long" + }, + "pseudo_wire_destination_ipv4_address": { + "type": "ip" + }, + "pseudo_wire_id": { + "type": "long" + }, + "pseudo_wire_type": { + "type": "long" + }, + "relative_error": { + "type": "double" + }, + "responder_octets": { + "type": "long" + }, + "responder_packets": { + "type": "long" + }, + "rfc3550_jitter_microseconds": { + "type": "long" + }, + "rfc3550_jitter_milliseconds": { + "type": "long" + }, + "rfc3550_jitter_nanoseconds": { + "type": "long" + }, + "rtp_sequence_number": { + "type": "long" + }, + "sampler_id": { + "type": "short" + }, + "sampler_mode": { + "type": "short" + }, + "sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sampler_random_interval": { + "type": "long" + }, + "sampling_algorithm": { + "type": "short" + }, + "sampling_flow_interval": { + "type": "long" + }, + "sampling_flow_spacing": { + "type": "long" + }, + "sampling_interval": { + "type": "long" + }, + "sampling_packet_interval": { + "type": "long" + }, + "sampling_packet_space": { + "type": "long" + }, + "sampling_population": { + "type": "long" + }, + "sampling_probability": { + "type": "double" + }, + "sampling_size": { + "type": "long" + }, + "sampling_time_interval": { + "type": "long" + }, + "sampling_time_space": { + "type": "long" + }, + "section_exported_octets": { + "type": "long" + }, + "section_offset": { + "type": "long" + }, + "selection_sequence_id": { + "type": "long" + }, + "selector_algorithm": { + "type": "long" + }, + "selector_id": { + "type": "long" + }, + "selector_id_total_flows_observed": { + "type": "long" + }, + "selector_id_total_flows_selected": { + "type": "long" + }, + "selector_id_total_pkts_observed": { + "type": "long" + }, + "selector_id_total_pkts_selected": { + "type": "long" + }, + "selector_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_scope": { + "type": "short" + }, + "source_ipv4_address": { + "type": "ip" + }, + "source_ipv4_prefix": { + "type": "ip" + }, + "source_ipv4_prefix_length": { + "type": "short" + }, + "source_ipv6_address": { + "type": "ip" + }, + "source_ipv6_prefix": { + "type": "ip" + }, + "source_ipv6_prefix_length": { + "type": "short" + }, + "source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_transport_port": { + "type": "long" + }, + "source_transport_ports_limit": { + "type": "long" + }, + "src_traffic_index": { + "type": "long" + }, + "sta_ipv4_address": { + "type": "ip" + }, + "sta_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_init_time_milliseconds": { + "type": "date" + }, + "tcp_ack_total_count": { + "type": "long" + }, + "tcp_acknowledgement_number": { + "type": "long" + }, + "tcp_control_bits": { + "type": "long" + }, + "tcp_destination_port": { + "type": "long" + }, + "tcp_fin_total_count": { + "type": "long" + }, + "tcp_header_length": { + "type": "short" + }, + "tcp_options": { + "type": "long" + }, + "tcp_psh_total_count": { + "type": "long" + }, + "tcp_rst_total_count": { + "type": "long" + }, + "tcp_sequence_number": { + "type": "long" + }, + "tcp_source_port": { + "type": "long" + }, + "tcp_syn_total_count": { + "type": "long" + }, + "tcp_urg_total_count": { + "type": "long" + }, + "tcp_urgent_pointer": { + "type": "long" + }, + "tcp_window_scale": { + "type": "long" + }, + "tcp_window_size": { + "type": "long" + }, + "template_id": { + "type": "long" + }, + "total_length_ipv4": { + "type": "long" + }, + "transport_octet_delta_count": { + "type": "long" + }, + "transport_packet_delta_count": { + "type": "long" + }, + "tunnel_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "udp_destination_port": { + "type": "long" + }, + "udp_message_length": { + "type": "long" + }, + "udp_source_port": { + "type": "long" + }, + "upper_ci_limit": { + "type": "double" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "value_distribution_method": { + "type": "short" + }, + "virtual_station_interface_id": { + "type": "short" + }, + "virtual_station_interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_uuid": { + "type": "short" + }, + "vlan_id": { + "type": "long" + }, + "vpn_identifier": { + "type": "short" + }, + "vr_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel_id": { + "type": "short" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "wtp_mac_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/suricata.json b/salt/elasticsearch/templates/component/ecs/suricata.json new file mode 100644 index 000000000..d824294e9 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/suricata.json @@ -0,0 +1,850 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "suricata": { + "properties": { + "eve": { + "properties": { + "alert": { + "properties": { + "affected_product": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "capec_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "deployment": { + "ignore_above": 1024, + "type": "keyword" + }, + "former_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "type": "long" + }, + "hostile": { + "ignore_above": 1024, + "type": "keyword" + }, + "infected": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "type": "flattened" + }, + "mitre_tool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocols": { + "ignore_above": 1024, + "type": "keyword" + }, + "rev": { + "type": "long" + }, + "rule_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "type": "long" + }, + "signature_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + } + } + }, + "app_proto_expected": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_ts": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns": { + "properties": { + "id": { + "type": "long" + }, + "rcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrname": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "tx_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileinfo": { + "properties": { + "gaps": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stored": { + "type": "boolean" + }, + "tx_id": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "age": { + "type": "long" + }, + "alerted": { + "type": "boolean" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "in_iface": { + "ignore_above": 1024, + "type": "keyword" + }, + "pcap_cnt": { + "type": "long" + }, + "smtp": { + "properties": { + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ssh": { + "properties": { + "client": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stats": { + "properties": { + "app_layer": { + "properties": { + "flow": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "failed_tcp": { + "type": "long" + }, + "failed_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "imap": { + "type": "long" + }, + "msn": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + }, + "tx": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + } + } + }, + "capture": { + "properties": { + "kernel_drops": { + "type": "long" + }, + "kernel_ifdrops": { + "type": "long" + }, + "kernel_packets": { + "type": "long" + } + } + }, + "decoder": { + "properties": { + "avg_pkt_size": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "dce": { + "properties": { + "pkt_too_small": { + "type": "long" + } + } + }, + "erspan": { + "type": "long" + }, + "ethernet": { + "type": "long" + }, + "gre": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "ieee8021ah": { + "type": "long" + }, + "invalid": { + "type": "long" + }, + "ipraw": { + "properties": { + "invalid_ip_version": { + "type": "long" + } + } + }, + "ipv4": { + "type": "long" + }, + "ipv4_in_ipv6": { + "type": "long" + }, + "ipv6": { + "type": "long" + }, + "ipv6_in_ipv6": { + "type": "long" + }, + "ltnull": { + "properties": { + "pkt_too_small": { + "type": "long" + }, + "unsupported_type": { + "type": "long" + } + } + }, + "max_pkt_size": { + "type": "long" + }, + "mpls": { + "type": "long" + }, + "null": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "ppp": { + "type": "long" + }, + "pppoe": { + "type": "long" + }, + "raw": { + "type": "long" + }, + "sctp": { + "type": "long" + }, + "sll": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "teredo": { + "type": "long" + }, + "udp": { + "type": "long" + }, + "vlan": { + "type": "long" + }, + "vlan_qinq": { + "type": "long" + } + } + }, + "defrag": { + "properties": { + "ipv4": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "max_frag_hits": { + "type": "long" + } + } + }, + "detect": { + "properties": { + "alert": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "memcap_global": { + "type": "long" + }, + "memcap_state": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "file_store": { + "properties": { + "open_files": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "emerg_mode_entered": { + "type": "long" + }, + "emerg_mode_over": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "spare": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "tcp_reuse": { + "type": "long" + }, + "udp": { + "type": "long" + } + } + }, + "flow_mgr": { + "properties": { + "bypassed_pruned": { + "type": "long" + }, + "closed_pruned": { + "type": "long" + }, + "est_pruned": { + "type": "long" + }, + "flows_checked": { + "type": "long" + }, + "flows_notimeout": { + "type": "long" + }, + "flows_removed": { + "type": "long" + }, + "flows_timeout": { + "type": "long" + }, + "flows_timeout_inuse": { + "type": "long" + }, + "new_pruned": { + "type": "long" + }, + "rows_busy": { + "type": "long" + }, + "rows_checked": { + "type": "long" + }, + "rows_empty": { + "type": "long" + }, + "rows_maxlen": { + "type": "long" + }, + "rows_skipped": { + "type": "long" + } + } + }, + "http": { + "properties": { + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "insert_data_normal_fail": { + "type": "long" + }, + "insert_data_overlap_fail": { + "type": "long" + }, + "insert_list_fail": { + "type": "long" + }, + "invalid_checksum": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "no_flow": { + "type": "long" + }, + "overlap": { + "type": "long" + }, + "overlap_diff_data": { + "type": "long" + }, + "pseudo": { + "type": "long" + }, + "pseudo_failed": { + "type": "long" + }, + "reassembly_gap": { + "type": "long" + }, + "reassembly_memuse": { + "type": "long" + }, + "rst": { + "type": "long" + }, + "segment_memcap_drop": { + "type": "long" + }, + "sessions": { + "type": "long" + }, + "ssn_memcap_drop": { + "type": "long" + }, + "stream_depth_reached": { + "type": "long" + }, + "syn": { + "type": "long" + }, + "synack": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "ack": { + "type": "boolean" + }, + "fin": { + "type": "boolean" + }, + "psh": { + "type": "boolean" + }, + "rst": { + "type": "boolean" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "syn": { + "type": "boolean" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_ts": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tls": { + "properties": { + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuerdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ja3s": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "notafter": { + "type": "date" + }, + "notbefore": { + "type": "date" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_resumed": { + "type": "boolean" + }, + "sni": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tx_id": { + "type": "long" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/ecs/zeek.json b/salt/elasticsearch/templates/component/ecs/zeek.json new file mode 100644 index 000000000..720199001 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/zeek.json @@ -0,0 +1,2279 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "zeek": { + "properties": { + "capture_loss": { + "properties": { + "acks": { + "type": "long" + }, + "gaps": { + "type": "long" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent_lost": { + "type": "double" + }, + "ts_delta": { + "type": "long" + } + } + }, + "connection": { + "properties": { + "history": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "inner_vlan": { + "type": "long" + }, + "local_orig": { + "type": "boolean" + }, + "local_resp": { + "type": "boolean" + }, + "missed_bytes": { + "type": "long" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + } + } + }, + "dce_rpc": { + "properties": { + "endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "named_pipe": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "type": "long" + } + } + }, + "dhcp": { + "properties": { + "address": { + "properties": { + "assigned": { + "type": "ip" + }, + "client": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "requested": { + "type": "ip" + }, + "server": { + "type": "ip" + } + } + }, + "client_fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "properties": { + "circuit": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscriber": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lease_time": { + "type": "long" + }, + "msg": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "type": "ip" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dnp3": { + "properties": { + "function": { + "properties": { + "reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "AA": { + "type": "boolean" + }, + "RA": { + "type": "boolean" + }, + "RD": { + "type": "boolean" + }, + "TC": { + "type": "boolean" + }, + "TTLs": { + "type": "double" + }, + "answers": { + "ignore_above": 1024, + "type": "keyword" + }, + "qclass": { + "type": "long" + }, + "qclass_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtype": { + "type": "long" + }, + "qtype_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcode": { + "type": "long" + }, + "rcode_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejected": { + "type": "boolean" + }, + "rtt": { + "type": "double" + }, + "saw_query": { + "type": "boolean" + }, + "saw_reply": { + "type": "boolean" + }, + "total_answers": { + "type": "long" + }, + "total_replies": { + "type": "long" + }, + "trans_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dpd": { + "properties": { + "analyzer": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_segment": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "files": { + "properties": { + "analyzers": { + "ignore_above": 1024, + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "type": "double" + }, + "entropy": { + "type": "double" + }, + "extracted": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_cutoff": { + "type": "boolean" + }, + "extracted_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "local_orig": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rx_host": { + "type": "ip" + }, + "seen_bytes": { + "type": "long" + }, + "session_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "timedout": { + "type": "boolean" + }, + "total_bytes": { + "type": "long" + }, + "tx_host": { + "type": "ip" + } + } + }, + "ftp": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "capture_password": { + "type": "boolean" + }, + "cmdarg": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "type": "long" + } + } + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_channel": { + "properties": { + "originating_host": { + "type": "ip" + }, + "passive": { + "type": "boolean" + }, + "response_host": { + "type": "ip" + }, + "response_port": { + "type": "long" + } + } + }, + "file": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "last_auth_requested": { + "ignore_above": 1024, + "type": "keyword" + }, + "passive": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "pending_commands": { + "type": "long" + }, + "reply": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http": { + "properties": { + "captured_password": { + "type": "boolean" + }, + "client_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "info_code": { + "type": "long" + }, + "info_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_mime_depth": { + "type": "long" + }, + "orig_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxied": { + "ignore_above": 1024, + "type": "keyword" + }, + "range_request": { + "type": "boolean" + }, + "resp_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_mime_depth": { + "type": "long" + }, + "resp_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_depth": { + "type": "long" + } + } + }, + "intel": { + "properties": { + "file_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen": { + "properties": { + "conn": { + "ignore_above": 1024, + "type": "keyword" + }, + "f": { + "type": "object" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "where": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sources": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "irc": { + "properties": { + "addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "dcc": { + "properties": { + "file": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "nick": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kerberos": { + "properties": { + "cert": { + "properties": { + "client": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "forwardable": { + "type": "boolean" + }, + "renewable": { + "type": "boolean" + }, + "request_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + }, + "ticket": { + "properties": { + "auth": { + "ignore_above": 1024, + "type": "keyword" + }, + "new": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "days": { + "type": "long" + }, + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + } + } + }, + "modbus": { + "properties": { + "exception": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "track_address": { + "type": "long" + } + } + }, + "mysql": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "notice": { + "properties": { + "actions": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped": { + "type": "boolean" + }, + "email_body_sections": { + "norms": false, + "type": "text" + }, + "email_delay_tokens": { + "ignore_above": 1024, + "type": "keyword" + }, + "false": { + "type": "long" + }, + "ffile": { + "properties": { + "total_bytes": { + "type": "long" + } + } + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen_bytes": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_descr": { + "norms": false, + "type": "text" + }, + "peer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppress_for": { + "type": "double" + } + } + }, + "ntlm": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "properties": { + "name": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "netbios": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "success": { + "type": "boolean" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ntp": { + "properties": { + "mode": { + "type": "long" + }, + "num_exts": { + "type": "long" + }, + "org_time": { + "type": "date" + }, + "poll": { + "type": "double" + }, + "precision": { + "type": "double" + }, + "rec_time": { + "type": "date" + }, + "ref_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ref_time": { + "type": "date" + }, + "root_delay": { + "type": "double" + }, + "root_disp": { + "type": "double" + }, + "stratum": { + "type": "long" + }, + "version": { + "type": "long" + }, + "xmt_time": { + "type": "date" + } + } + }, + "ocsp": { + "properties": { + "file_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "revoke": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "update": { + "properties": { + "next": { + "type": "date" + }, + "this": { + "type": "date" + } + } + } + } + }, + "pe": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_time": { + "type": "date" + }, + "has_cert_table": { + "type": "boolean" + }, + "has_debug_data": { + "type": "boolean" + }, + "has_export_table": { + "type": "boolean" + }, + "has_import_table": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_64bit": { + "type": "boolean" + }, + "is_exe": { + "type": "boolean" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "section_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "uses_aslr": { + "type": "boolean" + }, + "uses_code_integrity": { + "type": "boolean" + }, + "uses_dep": { + "type": "boolean" + }, + "uses_seh": { + "type": "boolean" + } + } + }, + "radius": { + "properties": { + "connect_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "framed_addr": { + "type": "ip" + }, + "logged": { + "type": "boolean" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "reply_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rdp": { + "properties": { + "cert": { + "properties": { + "count": { + "type": "long" + }, + "permanent": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "desktop": { + "properties": { + "color_depth": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "width": { + "type": "long" + } + } + }, + "done": { + "type": "boolean" + }, + "encryption": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "keyboard_layout": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl": { + "type": "boolean" + } + } + }, + "rfb": { + "properties": { + "auth": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + } + } + }, + "desktop_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "share_flag": { + "type": "boolean" + }, + "version": { + "properties": { + "client": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "width": { + "type": "long" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "properties": { + "event_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_count": { + "type": "long" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_count": { + "type": "long" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sip": { + "properties": { + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "warning": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_cmd": { + "properties": { + "argument": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "rx": { + "type": "ip" + }, + "tx": { + "type": "ip" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rtt": { + "type": "double" + }, + "smb1_offered_dialects": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb2_offered_dialects": { + "type": "long" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_command": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_files": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "fid": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "times": { + "properties": { + "accessed": { + "type": "date" + }, + "changed": { + "type": "date" + }, + "created": { + "type": "date" + }, + "modified": { + "type": "date" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_mapping": { + "properties": { + "native_file_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "share_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smtp": { + "properties": { + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "first_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "has_client_activity": { + "type": "boolean" + }, + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_webmail": { + "type": "boolean" + }, + "last_reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "ip" + }, + "process_received_from": { + "type": "boolean" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls": { + "type": "boolean" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "x_originating_ip": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "snmp": { + "properties": { + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "get": { + "properties": { + "bulk_requests": { + "type": "long" + }, + "requests": { + "type": "long" + }, + "responses": { + "type": "long" + } + } + }, + "set": { + "properties": { + "requests": { + "type": "long" + } + } + }, + "up_since": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "socks": { + "properties": { + "bound": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "capture_password": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssh": { + "properties": { + "algorithm": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "compression": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "key_exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auth": { + "properties": { + "attempts": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "last_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "validation": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stats": { + "properties": { + "bytes": { + "properties": { + "received": { + "type": "long" + } + } + }, + "connections": { + "properties": { + "icmp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "udp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + } + } + }, + "dns_requests": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "events": { + "properties": { + "processed": { + "type": "long" + }, + "queued": { + "type": "long" + } + } + }, + "files": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "memory": { + "type": "long" + }, + "packets": { + "properties": { + "dropped": { + "type": "long" + }, + "processed": { + "type": "long" + }, + "received": { + "type": "long" + } + } + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "reassembly_size": { + "properties": { + "file": { + "type": "long" + }, + "frag": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "unknown": { + "type": "long" + } + } + }, + "timers": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "timestamp_lag": { + "type": "long" + } + } + }, + "syslog": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tunnel": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "weird": { + "properties": { + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice": { + "type": "boolean" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "basic_constraints": { + "properties": { + "certificate_authority": { + "type": "boolean" + }, + "path_length": { + "type": "long" + } + } + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "exponent": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "key": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + }, + "version": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_cert": { + "type": "boolean" + }, + "san": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "other_fields": { + "type": "boolean" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +}