From 69cb83cac95818898035a0d5e705c427e821b549 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 4 Feb 2022 17:08:26 +0000 Subject: [PATCH] Add winlog mappings --- .../templates/component/ecs/winlog.json | 603 ++++++++++++++++++ .../index/so/so-beats-template.json.jinja | 3 +- .../index/so/so-osquery-template.json.jinja | 3 +- .../index/so/so-ossec-template.json.jinja | 3 +- 4 files changed, 609 insertions(+), 3 deletions(-) create mode 100644 salt/elasticsearch/templates/component/ecs/winlog.json diff --git a/salt/elasticsearch/templates/component/ecs/winlog.json b/salt/elasticsearch/templates/component/ecs/winlog.json new file mode 100644 index 000000000..a724eefb1 --- /dev/null +++ b/salt/elasticsearch/templates/component/ecs/winlog.json @@ -0,0 +1,603 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "dynamic_templates": [ + { + "winlog.event_data": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "winlog.event_data.*" + } + }, + { + "winlog.user_data": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "winlog.user_data.*" + } + } + ], + "properties": { + "winlog": { + "properties": { + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_data": { + "properties": { + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "BitlockerUserInputTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "BootType": { + "ignore_above": 1024, + "type": "keyword" + }, + "BuildVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Company": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorruptionActionState": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "Description": { + "ignore_above": 1024, + "type": "keyword" + }, + "Detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMajor": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceVersionMinor": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriveName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DriverNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "DwordVal": { + "ignore_above": 1024, + "type": "keyword" + }, + "EntryCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExtraInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FailureNameLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "FinalStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "Group": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "IdleStateCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntegrityLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpPort": { + "ignore_above": 1024, + "type": "keyword" + }, + "KeyLength": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastBootGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "LastShutdownGood": { + "ignore_above": 1024, + "type": "keyword" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "MajorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "MaximumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberName": { + "ignore_above": 1024, + "type": "keyword" + }, + "MemberSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumPerformancePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinimumThrottlePercent": { + "ignore_above": 1024, + "type": "keyword" + }, + "MinorVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "NewTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "NominalFrequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "Number": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldSchemeGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "OldTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginalFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Path": { + "ignore_above": 1024, + "type": "keyword" + }, + "PerformanceImplementation": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousCreationUtcTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "PreviousTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "PrivilegeList": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPath": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessPid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Product": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaCount": { + "ignore_above": 1024, + "type": "keyword" + }, + "PuaPolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "QfeVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "SchemaVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScriptBlockText": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownActionType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownEventCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "ShutdownReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "SignatureStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "Signed": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "StopTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TSId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetInfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetServerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TerminalSessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TokenElevationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workstation": { + "ignore_above": 1024, + "type": "keyword" + }, + "param1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param2": { + "ignore_above": 1024, + "type": "keyword" + }, + "param3": { + "ignore_above": 1024, + "type": "keyword" + }, + "param4": { + "ignore_above": 1024, + "type": "keyword" + }, + "param5": { + "ignore_above": 1024, + "type": "keyword" + }, + "param6": { + "ignore_above": 1024, + "type": "keyword" + }, + "param7": { + "ignore_above": 1024, + "type": "keyword" + }, + "param8": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon": { + "properties": { + "failure": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "type": "long" + } + } + } + } + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "related_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_created": { + "type": "date" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_data": { + "type": "object" + }, + "version": { + "type": "long" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja index e8390bc13..acec9e771 100644 --- a/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-beats-template.json.jinja @@ -92,7 +92,8 @@ "dtc-user-mappings", "vulnerability-mappings", "common-settings", - "common-dynamic-mappings" + "common-dynamic-mappings", + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja index e6e0aaf2d..b862db93f 100644 --- a/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-osquery-template.json.jinja @@ -92,7 +92,8 @@ "dtc-user-mappings", "vulnerability-mappings", "common-settings", - "common-dynamic-mappings" + "common-dynamic-mappings", + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": { diff --git a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja index 8441e0684..a3272d88f 100644 --- a/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja +++ b/salt/elasticsearch/templates/index/so/so-ossec-template.json.jinja @@ -92,7 +92,8 @@ "dtc-user-mappings", "vulnerability-mappings", "common-settings", - "common-dynamic-mappings" + "common-dynamic-mappings", + "winlog-mappings" ], "priority": {{ PRIORITY }}, "_meta": {