diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 3a2135b1c..faa2caeca 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -102,6 +102,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -136,6 +137,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -186,6 +188,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -220,6 +223,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -269,6 +273,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -303,6 +308,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -352,6 +358,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -386,6 +393,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -397,6 +405,7 @@ elasticsearch: - common-settings - common-dynamic-mappings - winlog-mappings + - dtc-winlog-mappings priority: 500 so-bluecoat: warm: 7 @@ -436,6 +445,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -470,6 +480,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -546,6 +557,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -580,6 +592,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -627,6 +640,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -661,6 +675,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -708,6 +723,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -742,6 +758,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -791,6 +808,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -825,6 +843,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -873,6 +892,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -907,6 +927,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -953,6 +974,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -987,6 +1009,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1033,6 +1056,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1068,6 +1092,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1114,6 +1139,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1149,6 +1175,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1196,6 +1223,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1230,6 +1258,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1276,6 +1305,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1310,6 +1340,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1356,6 +1387,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1390,6 +1422,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1436,6 +1469,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1471,6 +1505,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1517,6 +1552,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1552,6 +1588,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1598,6 +1635,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1633,6 +1671,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1680,6 +1719,7 @@ elasticsearch: - client-mappings - container-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1712,6 +1752,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1756,6 +1797,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1790,6 +1832,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - suricata-mappings - threat-mappings @@ -1837,6 +1880,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1871,6 +1915,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1917,6 +1962,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1951,6 +1997,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1998,6 +2045,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2032,6 +2080,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2079,6 +2128,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2114,6 +2164,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2160,6 +2211,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2195,6 +2247,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2242,6 +2295,7 @@ elasticsearch: - client-mappings - container-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2274,6 +2328,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2318,6 +2373,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2353,6 +2409,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2399,6 +2456,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2434,6 +2492,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2480,6 +2539,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2515,6 +2575,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2561,6 +2622,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2596,6 +2658,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2642,6 +2705,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2676,6 +2740,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2722,6 +2787,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2757,6 +2823,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2803,6 +2870,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2838,6 +2906,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2884,6 +2953,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2918,6 +2988,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2965,6 +3036,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2999,6 +3071,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3046,6 +3119,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3080,6 +3154,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3126,6 +3201,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3160,6 +3236,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3206,6 +3283,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3241,6 +3319,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3287,6 +3366,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3321,6 +3401,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3367,6 +3448,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3402,6 +3484,7 @@ elasticsearch: - dtc-service-mappings - snyk-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3448,6 +3531,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3482,6 +3566,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3528,6 +3613,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3563,6 +3649,7 @@ elasticsearch: - dtc-service-mappings - sophos-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3609,6 +3696,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3643,6 +3731,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3689,6 +3778,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3725,6 +3815,7 @@ elasticsearch: - dtc-service-mappings - so-scan-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3771,6 +3862,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3805,6 +3897,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - threat-mappings @@ -3852,6 +3945,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3886,6 +3980,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3932,6 +4027,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3966,6 +4062,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -4013,6 +4110,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -4047,6 +4145,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings diff --git a/salt/elasticsearch/templates/component/so/dtc-client-mappings.json b/salt/elasticsearch/templates/component/so/dtc-client-mappings.json new file mode 100644 index 000000000..23399cc26 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-client-mappings.json @@ -0,0 +1,69 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-destination-mappings.json b/salt/elasticsearch/templates/component/so/dtc-destination-mappings.json new file mode 100644 index 000000000..5691cfb7e --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-destination-mappings.json @@ -0,0 +1,74 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "destination": { + "properties": { + "geo": { + "properties": { + "country_name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} + diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json index a64a30a26..d17b832dc 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -48,6 +48,19 @@ "properties": { "event": { "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + }, "category": { "ignore_above": 1024, "type": "keyword", diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json index c58ae77ab..88152760a 100644 --- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -48,6 +48,14 @@ "properties": { "file": { "properties": { + "accessed": { + "type": "date", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, "mime_type": { "ignore_above": 1024, "type": "keyword", diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json index 02095b004..a16c298a5 100644 --- a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -48,7 +48,20 @@ "properties": { "host": { "properties": { - "name": { + "hostname": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + }, + "name": { "ignore_above": 1024, "type": "keyword", "fields": { diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json index a70df5c77..297720656 100644 --- a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -59,6 +59,22 @@ } }, "type": "wildcard" + }, + "pid": { + "type": "long", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "ppid": { + "type": "long", + "fields": { + "keyword": { + "type": "keyword" + } + } } } } diff --git a/salt/elasticsearch/templates/component/so/dtc-source-mappings.json b/salt/elasticsearch/templates/component/so/dtc-source-mappings.json new file mode 100644 index 000000000..7f372aec4 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-source-mappings.json @@ -0,0 +1,74 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "source": { + "properties": { + "geo": { + "properties": { + "country_name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} + diff --git a/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json b/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json new file mode 100644 index 000000000..09c157c1e --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json @@ -0,0 +1,83 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "winlog": { + "properties": { + "event_id": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} +