From 3ee46e4c297627724f34f8cce42dc532435ca4a2 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 21:50:03 +0000 Subject: [PATCH 1/6] Add .keyword for destination/source geo.country_name --- .../so/dtc-destination-mappings.json | 74 +++++++++++++++++++ .../component/so/dtc-source-mappings.json | 74 +++++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 salt/elasticsearch/templates/component/so/dtc-destination-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-source-mappings.json diff --git a/salt/elasticsearch/templates/component/so/dtc-destination-mappings.json b/salt/elasticsearch/templates/component/so/dtc-destination-mappings.json new file mode 100644 index 000000000..5691cfb7e --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-destination-mappings.json @@ -0,0 +1,74 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "destination": { + "properties": { + "geo": { + "properties": { + "country_name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} + diff --git a/salt/elasticsearch/templates/component/so/dtc-source-mappings.json b/salt/elasticsearch/templates/component/so/dtc-source-mappings.json new file mode 100644 index 000000000..7f372aec4 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-source-mappings.json @@ -0,0 +1,74 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "source": { + "properties": { + "geo": { + "properties": { + "country_name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } + } + } +} + From 8f97f09c9c8bccd6241782cf5c804b66a2ba154d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 21:54:46 +0000 Subject: [PATCH 2/6] Additional .keyword changes for host.hostname client.address, and event.action --- .../component/so/dtc-event-mappings.json | 13 +++++++++++++ .../templates/component/so/dtc-host-mappings.json | 15 ++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json index a64a30a26..d17b832dc 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -48,6 +48,19 @@ "properties": { "event": { "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + }, "category": { "ignore_above": 1024, "type": "keyword", diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json index 02095b004..a16c298a5 100644 --- a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -48,7 +48,20 @@ "properties": { "host": { "properties": { - "name": { + "hostname": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + }, + "name": { "ignore_above": 1024, "type": "keyword", "fields": { From 85979cbce8a8acbc0fd18ed9646f5e0dc2e2a20c Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 3 Mar 2022 13:37:27 +0000 Subject: [PATCH 3/6] Add file, process, and winlog mapping changes --- .../component/so/dtc-client-mappings.json | 69 +++++++++++++++++ .../component/so/dtc-file-mappings.json | 8 ++ .../component/so/dtc-process-mappings.json | 16 ++++ .../component/so/dtc-winlog-mappings.json | 77 +++++++++++++++++++ 4 files changed, 170 insertions(+) create mode 100644 salt/elasticsearch/templates/component/so/dtc-client-mappings.json create mode 100644 salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json diff --git a/salt/elasticsearch/templates/component/so/dtc-client-mappings.json b/salt/elasticsearch/templates/component/so/dtc-client-mappings.json new file mode 100644 index 000000000..23399cc26 --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-client-mappings.json @@ -0,0 +1,69 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-client.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json index c58ae77ab..e15990e98 100644 --- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -48,6 +48,14 @@ "properties": { "file": { "properties": { + "accessed": { + "type": "date" + "fields": { + "keyword": { + "type": "keyword" + } + } + }, "mime_type": { "ignore_above": 1024, "type": "keyword", diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json index a70df5c77..297720656 100644 --- a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -59,6 +59,22 @@ } }, "type": "wildcard" + }, + "pid": { + "type": "long", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "ppid": { + "type": "long", + "fields": { + "keyword": { + "type": "keyword" + } + } } } } diff --git a/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json b/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json new file mode 100644 index 000000000..dbf4e169a --- /dev/null +++ b/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json @@ -0,0 +1,77 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html", + "ecs_version": "1.12.2" + }, + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "winlog": { + "properties": { + "event_id": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } + } + } + } + } + } + } +} + From aa8d24b6cd8f5d611b56d7eeefb72d00ca2e9994 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 3 Mar 2022 13:42:20 +0000 Subject: [PATCH 4/6] Add DTC destination, source, and winlog mapping references to templates in defaults file --- salt/elasticsearch/defaults.yaml | 99 ++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 3a2135b1c..faa2caeca 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -102,6 +102,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -136,6 +137,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -186,6 +188,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -220,6 +223,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -269,6 +273,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -303,6 +308,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -352,6 +358,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -386,6 +393,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -397,6 +405,7 @@ elasticsearch: - common-settings - common-dynamic-mappings - winlog-mappings + - dtc-winlog-mappings priority: 500 so-bluecoat: warm: 7 @@ -436,6 +445,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -470,6 +480,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -546,6 +557,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -580,6 +592,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -627,6 +640,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -661,6 +675,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -708,6 +723,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -742,6 +758,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -791,6 +808,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -825,6 +843,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -873,6 +892,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -907,6 +927,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -953,6 +974,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -987,6 +1009,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1033,6 +1056,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1068,6 +1092,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1114,6 +1139,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1149,6 +1175,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1196,6 +1223,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1230,6 +1258,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1276,6 +1305,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1310,6 +1340,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1356,6 +1387,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1390,6 +1422,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1436,6 +1469,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1471,6 +1505,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1517,6 +1552,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1552,6 +1588,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1598,6 +1635,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1633,6 +1671,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1680,6 +1719,7 @@ elasticsearch: - client-mappings - container-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1712,6 +1752,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1756,6 +1797,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1790,6 +1832,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - suricata-mappings - threat-mappings @@ -1837,6 +1880,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1871,6 +1915,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1917,6 +1962,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -1951,6 +1997,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -1998,6 +2045,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2032,6 +2080,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2079,6 +2128,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2114,6 +2164,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2160,6 +2211,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2195,6 +2247,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2242,6 +2295,7 @@ elasticsearch: - client-mappings - container-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2274,6 +2328,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2318,6 +2373,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2353,6 +2409,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2399,6 +2456,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2434,6 +2492,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2480,6 +2539,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2515,6 +2575,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2561,6 +2622,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2596,6 +2658,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2642,6 +2705,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2676,6 +2740,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2722,6 +2787,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2757,6 +2823,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2803,6 +2870,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2838,6 +2906,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2884,6 +2953,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2918,6 +2988,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -2965,6 +3036,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -2999,6 +3071,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3046,6 +3119,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3080,6 +3154,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3126,6 +3201,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3160,6 +3236,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3206,6 +3283,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3241,6 +3319,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3287,6 +3366,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3321,6 +3401,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3367,6 +3448,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3402,6 +3484,7 @@ elasticsearch: - dtc-service-mappings - snyk-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3448,6 +3531,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3482,6 +3566,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3528,6 +3613,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3563,6 +3649,7 @@ elasticsearch: - dtc-service-mappings - sophos-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3609,6 +3696,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3643,6 +3731,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3689,6 +3778,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3725,6 +3815,7 @@ elasticsearch: - dtc-service-mappings - so-scan-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3771,6 +3862,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3805,6 +3897,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - syslog-mappings - threat-mappings @@ -3852,6 +3945,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3886,6 +3980,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -3932,6 +4027,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -3966,6 +4062,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings @@ -4013,6 +4110,7 @@ elasticsearch: - container-mappings - data_stream-mappings - destination-mappings + - dtc-destination-mappings - pb-override-destination-mappings - dll-mappings - dns-mappings @@ -4047,6 +4145,7 @@ elasticsearch: - service-mappings - dtc-service-mappings - source-mappings + - dtc-source-mappings - pb-override-source-mappings - threat-mappings - tls-mappings From 1c086e36dac5bd34983b224c8f6bedd941d8f314 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 3 Mar 2022 13:49:54 +0000 Subject: [PATCH 5/6] Add missing comma for file mappings --- .../elasticsearch/templates/component/so/dtc-file-mappings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json index e15990e98..88152760a 100644 --- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -49,7 +49,7 @@ "file": { "properties": { "accessed": { - "type": "date" + "type": "date", "fields": { "keyword": { "type": "keyword" From 1f71816ad72be6e0e16b3db6ea8d042a92d65ae1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 3 Mar 2022 14:54:30 +0000 Subject: [PATCH 6/6] Add keyword subfield for DTC winlog mappings --- .../templates/component/so/dtc-winlog-mappings.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json b/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json index dbf4e169a..09c157c1e 100644 --- a/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-winlog-mappings.json @@ -55,6 +55,9 @@ "security": { "type": "text", "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" } } }, @@ -65,6 +68,9 @@ "security": { "type": "text", "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" } } }