From 85979cbce8a8acbc0fd18ed9646f5e0dc2e2a20c Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Thu, 3 Mar 2022 13:37:27 +0000
Subject: [PATCH] Add file, process, and winlog mapping changes

---
 .../component/so/dtc-client-mappings.json     | 69 +++++++++++++++++
 .../component/so/dtc-file-mappings.json       |  8 ++
 .../component/so/dtc-process-mappings.json    | 16 ++++
 .../component/so/dtc-winlog-mappings.json     | 77 +++++++++++++++++++
 4 files changed, 170 insertions(+)
 create mode 100644 salt/elasticsearch/templates/component/so/dtc-client-mappings.json
 create mode 100644 salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json

diff --git a/salt/elasticsearch/templates/component/so/dtc-client-mappings.json b/salt/elasticsearch/templates/component/so/dtc-client-mappings.json
new file mode 100644
index 000000000..23399cc26
--- /dev/null
+++ b/salt/elasticsearch/templates/component/so/dtc-client-mappings.json
@@ -0,0 +1,69 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
+    "ecs_version": "1.12.2"
+  },
+  "template": {
+    "settings": {
+      "analysis": {
+        "analyzer": {
+          "es_security_analyzer": {
+            "type": "custom",
+            "char_filter": [
+              "whitespace_no_way"
+            ],
+            "filter": [
+              "lowercase",
+              "trim"
+            ],
+            "tokenizer": "keyword"
+          }
+        },
+        "char_filter": {
+          "whitespace_no_way": {
+            "type": "pattern_replace",
+            "pattern": "(\\s)+",
+            "replacement": "$1"
+          }
+        },
+        "filter": {
+          "path_hierarchy_pattern_filter": {
+            "type": "pattern_capture",
+            "preserve_original": true,
+            "patterns": [
+              "((?:[^\\\\]*\\\\)*)(.*)",
+              "((?:[^/]*/)*)(.*)"
+            ]
+          }
+        },
+        "tokenizer": {
+          "path_tokenizer": {
+            "type": "path_hierarchy",
+            "delimiter": "\\"
+          }
+        }
+      }
+    },
+    "mappings": {
+      "properties": {
+        "client": {
+          "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword",
+              "fields": {
+                "security": {
+                  "type": "text",
+                  "analyzer": "es_security_analyzer"
+                },
+		"keyword": {
+	          "type": "keyword"
+		}
+              }
+            }   
+	  }
+        }
+      }
+    }
+  }
+}
diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json
index c58ae77ab..e15990e98 100644
--- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json
+++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json
@@ -48,6 +48,14 @@
       "properties": {
         "file": {
           "properties": {
+            "accessed": {
+              "type": "date"
+	      "fields": {
+                "keyword": {
+                  "type": "keyword"
+                }
+              }
+            },
             "mime_type": {
               "ignore_above": 1024,
               "type": "keyword",
diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json
index a70df5c77..297720656 100644
--- a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json
+++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json
@@ -59,6 +59,22 @@
                 }
               },
               "type": "wildcard"
+            },
+	    "pid": {
+              "type": "long",
+              "fields": {
+                "keyword": {
+                  "type": "keyword"
+                }
+	      }
+            },
+	    "ppid": {
+              "type": "long",
+	       "fields": {
+                "keyword": {
+                  "type": "keyword"
+                }
+	      }
             }
           }
         }
diff --git a/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json b/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json
new file mode 100644
index 000000000..dbf4e169a
--- /dev/null
+++ b/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json
@@ -0,0 +1,77 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
+    "ecs_version": "1.12.2"
+  },
+  "template": {
+    "settings": {
+      "analysis": {
+        "analyzer": {
+          "es_security_analyzer": {
+            "type": "custom",
+            "char_filter": [
+              "whitespace_no_way"
+            ],
+            "filter": [
+              "lowercase",
+              "trim"
+            ],
+            "tokenizer": "keyword"
+          }
+        },
+        "char_filter": {
+          "whitespace_no_way": {
+            "type": "pattern_replace",
+            "pattern": "(\\s)+",
+            "replacement": "$1"
+          }
+        },
+        "filter": {
+          "path_hierarchy_pattern_filter": {
+            "type": "pattern_capture",
+            "preserve_original": true,
+            "patterns": [
+              "((?:[^\\\\]*\\\\)*)(.*)",
+              "((?:[^/]*/)*)(.*)"
+            ]
+          }
+        },
+        "tokenizer": {
+          "path_tokenizer": {
+            "type": "path_hierarchy",
+            "delimiter": "\\"
+          }
+        }
+      }
+    },
+    "mappings": {
+      "properties": {
+        "winlog": {
+          "properties": {
+	    "event_id": {
+              "ignore_above": 1024,
+              "type": "keyword",
+              "fields": {
+                "security": {
+                  "type": "text",
+                  "analyzer": "es_security_analyzer"
+                }
+              }
+            },
+	    "record_id": {
+              "ignore_above": 1024,
+              "type": "keyword",
+              "fields": {
+                "security": {
+                  "type": "text",
+                  "analyzer": "es_security_analyzer"
+                }
+              }
+            }
+	  }
+	}
+      }
+    }
+  }
+}
+