CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7413 from Security-Onion-Solutions/fix/add_keyword_subfield

Browse Source 
Add .keyword subfield for more mappings
This commit is contained in:
weslambert
2022-03-03 10:42:38 -05:00
committed by GitHub
parent a21060306c 1f71816ad7
commit 93c2f82345
9 changed files with 450 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
salt/elasticsearch/defaults.yaml
View File

@@ -102,6 +102,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -136,6 +137,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -186,6 +188,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -220,6 +223,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -269,6 +273,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -303,6 +308,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -352,6 +358,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -386,6 +393,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -397,6 +405,7 @@ elasticsearch:
- common-settings
- common-dynamic-mappings
- winlog-mappings
- dtc-winlog-mappings
priority: 500
so-bluecoat:
warm: 7
@@ -436,6 +445,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -470,6 +480,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -546,6 +557,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -580,6 +592,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -627,6 +640,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -661,6 +675,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -708,6 +723,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -742,6 +758,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -791,6 +808,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -825,6 +843,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -873,6 +892,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -907,6 +927,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -953,6 +974,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -987,6 +1009,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1033,6 +1056,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1068,6 +1092,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1114,6 +1139,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1149,6 +1175,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1196,6 +1223,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1230,6 +1258,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1276,6 +1305,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1310,6 +1340,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1356,6 +1387,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1390,6 +1422,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1436,6 +1469,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1471,6 +1505,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1517,6 +1552,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1552,6 +1588,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1598,6 +1635,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1633,6 +1671,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1680,6 +1719,7 @@ elasticsearch:
- client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1712,6 +1752,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1756,6 +1797,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1790,6 +1832,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- suricata-mappings
- threat-mappings
@@ -1837,6 +1880,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1871,6 +1915,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1917,6 +1962,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -1951,6 +1997,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -1998,6 +2045,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2032,6 +2080,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2079,6 +2128,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2114,6 +2164,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2160,6 +2211,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2195,6 +2247,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2242,6 +2295,7 @@ elasticsearch:
- client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2274,6 +2328,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2318,6 +2373,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2353,6 +2409,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2399,6 +2456,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2434,6 +2492,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2480,6 +2539,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2515,6 +2575,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2561,6 +2622,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2596,6 +2658,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2642,6 +2705,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2676,6 +2740,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2722,6 +2787,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2757,6 +2823,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2803,6 +2870,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2838,6 +2906,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2884,6 +2953,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2918,6 +2988,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -2965,6 +3036,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -2999,6 +3071,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3046,6 +3119,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3080,6 +3154,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3126,6 +3201,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3160,6 +3236,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3206,6 +3283,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3241,6 +3319,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3287,6 +3366,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3321,6 +3401,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3367,6 +3448,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3402,6 +3484,7 @@ elasticsearch:
- dtc-service-mappings
- snyk-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3448,6 +3531,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3482,6 +3566,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3528,6 +3613,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3563,6 +3649,7 @@ elasticsearch:
- dtc-service-mappings
- sophos-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3609,6 +3696,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3643,6 +3731,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3689,6 +3778,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3725,6 +3815,7 @@ elasticsearch:
- dtc-service-mappings
- so-scan-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3771,6 +3862,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3805,6 +3897,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- threat-mappings
@@ -3852,6 +3945,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3886,6 +3980,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -3932,6 +4027,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -3966,6 +4062,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
@@ -4013,6 +4110,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
@@ -4047,6 +4145,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings

69
salt/elasticsearch/templates/component/so/dtc-client-mappings.json Normal file
View File

@@ -0,0 +1,69 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html",
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"client": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}

74
salt/elasticsearch/templates/component/so/dtc-destination-mappings.json Normal file
View File

@@ -0,0 +1,74 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"destination": {
"properties": {
"geo": {
"properties": {
"country_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
}
}

13
salt/elasticsearch/templates/component/so/dtc-event-mappings.json
View File

@@ -48,6 +48,19 @@
"properties": {
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword",

8
salt/elasticsearch/templates/component/so/dtc-file-mappings.json
View File

@@ -48,6 +48,14 @@
"properties": {
"file": {
"properties": {
"accessed": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword",

15
salt/elasticsearch/templates/component/so/dtc-host-mappings.json
View File

@@ -48,7 +48,20 @@
"properties": {
"host": {
"properties": {
"name": {
"hostname": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {

16
salt/elasticsearch/templates/component/so/dtc-process-mappings.json
View File

@@ -59,6 +59,22 @@
}
},
"type": "wildcard"
},
"pid": {
"type": "long",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"ppid": {
"type": "long",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}

74
salt/elasticsearch/templates/component/so/dtc-source-mappings.json Normal file
View File

@@ -0,0 +1,74 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"source": {
"properties": {
"geo": {
"properties": {
"country_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}
}
}

83
salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json Normal file
View File

@@ -0,0 +1,83 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"winlog": {
"properties": {
"event_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
},
"record_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}