From 888145a2ed8a5bb5d5e6859cacd0c22d1babae4d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 3 Dec 2024 08:55:43 -0600 Subject: [PATCH 01/38] remove optional integrations from defaults.yaml & soc_elasticsearch.yaml --- salt/elasticsearch/defaults.yaml | 8632 --------------------- salt/elasticsearch/soc_elasticsearch.yaml | 154 +- 2 files changed, 3 insertions(+), 8783 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 9f0d3576c..e7a9a286c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1049,2942 +1049,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-1password_x_item_usages: - index_sorting: false - index_template: - composed_of: - - logs-1password.item_usages@package - - logs-1password.item_usages@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-1password.item_usages@custom - index_patterns: - - logs-1password.item_usages-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-1password.item_usages-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-1password_x_signin_attempts: - index_sorting: false - index_template: - composed_of: - - logs-1password.signin_attempts@package - - logs-1password.signin_attempts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-1password.signin_attempts@custom - index_patterns: - - logs-1password.signin_attempts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-1password.signin_attempts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-apache_x_access: - index_sorting: false - index_template: - composed_of: - - logs-apache.access@package - - logs-apache.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-apache.access@custom - index_patterns: - - logs-apache.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-apache.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-apache_x_error: - index_sorting: false - index_template: - composed_of: - - logs-apache.error@package - - logs-apache.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-apache.error@custom - index_patterns: - - logs-apache.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-apache.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-auditd_x_log: - index_sorting: false - index_template: - composed_of: - - logs-auditd.log@package - - logs-auditd.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-auditd.log@custom - index_patterns: - - logs-auditd.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-auditd.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-auth0_x_logs: - index_sorting: false - index_template: - composed_of: - - logs-auth0.logs@package - - logs-auth0.logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-auth0.logs@custom - index_patterns: - - logs-auth0.logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-auth0.logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudfront_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudfront_logs@package - - logs-aws.cloudfront_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudfront_logs@custom - index_patterns: - - logs-aws.cloudfront_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudfront_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudtrail: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudtrail@package - - logs-aws.cloudtrail@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudtrail@custom - index_patterns: - - logs-aws.cloudtrail-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudtrail-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudwatch_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudwatch_logs@package - - logs-aws.cloudwatch_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudwatch_logs@custom - index_patterns: - - logs-aws.cloudwatch_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudwatch_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_ec2_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.ec2_logs@package - - logs-aws.ec2_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.ec2_logs@custom - index_patterns: - - logs-aws.ec2_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.ec2_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_elb_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.elb_logs@package - - logs-aws.elb_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.elb_logs@custom - index_patterns: - - logs-aws.elb_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.elb_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_firewall_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.firewall_logs@package - - logs-aws.firewall_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.firewall_logs@custom - index_patterns: - - logs-aws.firewall_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.firewall_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_guardduty: - index_sorting: false - index_template: - composed_of: - - logs-aws.guardduty@package - - logs-aws.guardduty@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.guardduty@custom - index_patterns: - - logs-aws.guardduty-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.guardduty-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_inspector: - index_sorting: false - index_template: - composed_of: - - logs-aws.inspector@package - - logs-aws.inspector@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.inspector@custom - index_patterns: - - logs-aws.inspector-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.inspector-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_route53_public_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.route53_public_logs@package - - logs-aws.route53_public_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.route53_public_logs@custom - index_patterns: - - logs-aws.route53_public_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.route53_public_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_route53_resolver_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.route53_resolver_logs@package - - logs-aws.route53_resolver_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.route53_resolver_logs@custom - index_patterns: - - logs-aws.route53_resolver_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.route53_resolver_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_s3access: - index_sorting: false - index_template: - composed_of: - - logs-aws.s3access@package - - logs-aws.s3access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.s3access@custom - index_patterns: - - logs-aws.s3access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.s3access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_securityhub_findings: - index_sorting: false - index_template: - composed_of: - - logs-aws.securityhub_findings@package - - logs-aws.securityhub_findings@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.securityhub_findings@custom - index_patterns: - - logs-aws.securityhub_findings-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.securityhub_findings-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_securityhub_insights: - index_sorting: false - index_template: - composed_of: - - logs-aws.securityhub_insights@package - - logs-aws.securityhub_insights@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.securityhub_insights@custom - index_patterns: - - logs-aws.securityhub_insights-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.securityhub_insights-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_vpcflow: - index_sorting: false - index_template: - composed_of: - - logs-aws.vpcflow@package - - logs-aws.vpcflow@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.vpcflow@custom - index_patterns: - - logs-aws.vpcflow-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.vpcflow-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_waf: - index_sorting: false - index_template: - composed_of: - - logs-aws.waf@package - - logs-aws.waf@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.waf@custom - index_patterns: - - logs-aws.waf-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.waf-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_activitylogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.activitylogs@package - - logs-azure.activitylogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.activitylogs@custom - index_patterns: - - logs-azure.activitylogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.activitylogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_application_gateway: - index_sorting: false - index_template: - composed_of: - - logs-azure.application_gateway@package - - logs-azure.application_gateway@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.application_gateway@custom - index_patterns: - - logs-azure.application_gateway-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.application_gateway-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_auditlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.auditlogs@package - - logs-azure.auditlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.auditlogs@custom - index_patterns: - - logs-azure.auditlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.auditlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_eventhub: - index_sorting: false - index_template: - composed_of: - - logs-azure.eventhub@package - - logs-azure.eventhub@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.eventhub@custom - index_patterns: - - logs-azure.eventhub-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.eventhub-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_firewall_logs: - index_sorting: false - index_template: - composed_of: - - logs-azure.firewall_logs@package - - logs-azure.firewall_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.firewall_logs@custom - index_patterns: - - logs-azure.firewall_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.firewall_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_identity_protection: - index_sorting: false - index_template: - composed_of: - - logs-azure.identity_protection@package - - logs-azure.identity_protection@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.identity_protection@custom - index_patterns: - - logs-azure.identity_protection-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.identity_protection-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_platformlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.platformlogs@package - - logs-azure.platformlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.platformlogs@custom - index_patterns: - - logs-azure.platformlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.platformlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_provisioning: - index_sorting: false - index_template: - composed_of: - - logs-azure.provisioning@package - - logs-azure.provisioning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.provisioning@custom - index_patterns: - - logs-azure.provisioning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.provisioning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_signinlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.signinlogs@package - - logs-azure.signinlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.signinlogs@custom - index_patterns: - - logs-azure.signinlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.signinlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_springcloudlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.springcloudlogs@package - - logs-azure.springcloudlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.springcloudlogs@custom - index_patterns: - - logs-azure.springcloudlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.springcloudlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-barracuda_x_waf: - index_sorting: false - index_template: - composed_of: - - logs-barracuda.waf@package - - logs-barracuda.waf@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-barracuda.waf@custom - index_patterns: - - logs-barracuda.waf-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-barracuda.waf-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-barracuda_cloudgen_firewall_x_log: - index_sorting: False - index_template: - ignore_missing_component_templates: - - logs-barracuda_cloudgen_firewall.log@custom - index_patterns: - - "logs-barracuda_cloudgen_firewall.log-*" - template: - settings: - index: - lifecycle: - name: so-logs-barracuda_cloudgen_firewall.log-logs - number_of_replicas: 0 - composed_of: - - "logs-barracuda_cloudgen_firewall.log@package" - - "logs-barracuda_cloudgen_firewall.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-carbonblack_edr_x_log: - index_sorting: false - index_template: - composed_of: - - logs-carbonblack_edr.log@package - - logs-carbonblack_edr.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-carbonblack_edr.log@custom - index_patterns: - - logs-carbonblack_edr.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-carbonblack_edr.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cef_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cef.log@package - - logs-cef.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cef.log@custom - index_patterns: - - logs-cef.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cef.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-checkpoint_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-checkpoint.firewall@package - - logs-checkpoint.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-checkpoint.firewall@custom - index_patterns: - - logs-checkpoint.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-checkpoint.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_asa_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_asa.log@package - - logs-cisco_asa.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_asa.log@custom - index_patterns: - - logs-cisco_asa.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_asa.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_admin: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.admin@package - - logs-cisco_duo.admin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.admin@custom - index_patterns: - - logs-cisco_duo.admin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.admin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_auth: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.auth@package - - logs-cisco_duo.auth@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.auth@custom - index_patterns: - - logs-cisco_duo.auth-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.auth-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_offline_enrollment: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.offline_enrollment@package - - logs-cisco_duo.offline_enrollment@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.offline_enrollment@custom - index_patterns: - - logs-cisco_duo.offline_enrollment-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.offline_enrollment-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_summary: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.summary@package - - logs-cisco_duo.summary@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.summary@custom - index_patterns: - - logs-cisco_duo.summary-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.summary-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_telephony: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.telephony@package - - logs-cisco_duo.telephony@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.telephony@custom - index_patterns: - - logs-cisco_duo.telephony-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.telephony-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ftd_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ftd.log@package - - logs-cisco_ftd.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ftd.log@custom - index_patterns: - - logs-cisco_ftd.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ftd.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ios_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ios.log@package - - logs-cisco_ios.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ios.log@custom - index_patterns: - - logs-cisco_ios.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ios.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ise_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ise.log@package - - logs-cisco_ise.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ise.log@custom - index_patterns: - - logs-cisco_ise.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ise.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_meraki_x_events: - index_sorting: false - index_template: - composed_of: - - logs-cisco_meraki.events@package - - logs-cisco_meraki.events@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_meraki.events@custom - index_patterns: - - logs-cisco_meraki.events-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_meraki.events-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_meraki_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_meraki.log@package - - logs-cisco_meraki.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_meraki.log@custom - index_patterns: - - logs-cisco_meraki.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_meraki.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_secure_email_gateway_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_secure_email_gateway.log@package - - logs-cisco_secure_email_gateway.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cisco_secure_email_gateway.log@custom - index_patterns: - - logs-cisco_secure_email_gateway.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_secure_email_gateway.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_umbrella_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_umbrella.log@package - - logs-cisco_umbrella.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_umbrella.log@custom - index_patterns: - - logs-cisco_umbrella.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_umbrella.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_interface: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.interface@package - - logs-citrix_adc.interface@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.interface@custom - index_patterns: - - logs-citrix_adc.interface-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.interface-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_lbvserver: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.lbvserver@package - - logs-citrix_adc.lbvserver@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.lbvserver@custom - index_patterns: - - logs-citrix_adc.lbvserver-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.lbvserver-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_service: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.service@package - - logs-citrix_adc.service@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.service@custom - index_patterns: - - logs-citrix_adc.service-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.service-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_system: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.system@package - - logs-citrix_adc.system@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.system@custom - index_patterns: - - logs-citrix_adc.system-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.system-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_vpn: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.vpn@package - - logs-citrix_adc.vpn@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.vpn@custom - index_patterns: - - logs-citrix_adc.vpn-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.vpn-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_waf_x_log: - index_sorting: false - index_template: - composed_of: - - logs-citrix_waf.log@package - - logs-citrix_waf.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_waf.log@custom - index_patterns: - - logs-citrix_waf.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_waf.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cloudflare_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-cloudflare.audit@package - - logs-cloudflare.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cloudflare.audit@custom - index_patterns: - - logs-cloudflare.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cloudflare.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cloudflare_x_logpull: - index_sorting: false - index_template: - composed_of: - - logs-cloudflare.logpull@package - - logs-cloudflare.logpull@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cloudflare.logpull@custom - index_patterns: - - logs-cloudflare.logpull-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cloudflare.logpull-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_alert: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.alert-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.alert@package - - logs-crowdstrike.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.alert@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_falcon: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.falcon-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.falcon@package - - logs-crowdstrike.falcon@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.falcon@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_fdr: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.fdr-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.fdr@package - - logs-crowdstrike.fdr@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.fdr@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_host: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.host-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.host@package - - logs-crowdstrike.host@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.host@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_ai_analyst_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.ai_analyst_alert@package - - logs-darktrace.ai_analyst_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.ai_analyst_alert@custom - index_patterns: - - logs-darktrace.ai_analyst_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.ai_analyst_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_model_breach_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.model_breach_alert@package - - logs-darktrace.model_breach_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.model_breach_alert@custom - index_patterns: - - logs-darktrace.model_breach_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.model_breach_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_system_status_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.system_status_alert@package - - logs-darktrace.system_status_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.system_status_alert@custom - index_patterns: - - logs-darktrace.system_status_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.system_status_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-detections_x_alerts: index_sorting: false index_template: @@ -5230,1478 +2294,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-f5_bigip_x_log: - index_sorting: false - index_template: - composed_of: - - logs-f5_bigip.log@package - - logs-f5_bigip.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-f5_bigip.log@custom - index_patterns: - - logs-f5_bigip.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-f5_bigip.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fim_x_event: - index_sorting: false - index_template: - composed_of: - - logs-fim.event@package - - logs-fim.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fim.event@custom - index_patterns: - - logs-fim.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fim.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fireeye_x_nx: - index_sorting: false - index_template: - composed_of: - - logs-fireeye.nx@package - - logs-fireeye.nx@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fireeye.nx@custom - index_patterns: - - logs-fireeye.nx-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fireeye.nx-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_fortigate_x_log: - index_sorting: false - index_template: - composed_of: - - logs-fortinet_fortigate.log@package - - logs-fortinet_fortigate.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet_fortigate.log@custom - index_patterns: - - logs-fortinet_fortigate.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet_fortigate.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_clientendpoint: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.clientendpoint@package - - logs-fortinet.clientendpoint@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.clientendpoint@custom - index_patterns: - - logs-fortinet.clientendpoint-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.clientendpoint-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.firewall@package - - logs-fortinet.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.firewall@custom - index_patterns: - - logs-fortinet.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_fortimail: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.fortimail@package - - logs-fortinet.fortimail@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.fortimail@custom - index_patterns: - - logs-fortinet.fortimail-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.fortimail-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_fortimanager: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.fortimanager@package - - logs-fortinet.fortimanager@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.fortimanager@custom - index_patterns: - - logs-fortinet.fortimanager-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.fortimanager-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-gcp.audit@package - - logs-gcp.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.audit@custom - index_patterns: - - logs-gcp.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_dns: - index_sorting: false - index_template: - composed_of: - - logs-gcp.dns@package - - logs-gcp.dns@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.dns@custom - index_patterns: - - logs-gcp.dns-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.dns-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-gcp.firewall@package - - logs-gcp.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.firewall@custom - index_patterns: - - logs-gcp.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_loadbalancing_logs: - index_sorting: false - index_template: - composed_of: - - logs-gcp.loadbalancing_logs@package - - logs-gcp.loadbalancing_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.loadbalancing_logs@custom - index_patterns: - - logs-gcp.loadbalancing_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.loadbalancing_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_vpcflow: - index_sorting: false - index_template: - composed_of: - - logs-gcp.vpcflow@package - - logs-gcp.vpcflow@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.vpcflow@custom - index_patterns: - - logs-gcp.vpcflow-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.vpcflow-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-github.audit@package - - logs-github.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.audit@custom - index_patterns: - - logs-github.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_code_scanning: - index_sorting: false - index_template: - composed_of: - - logs-github.code_scanning@package - - logs-github.code_scanning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.code_scanning@custom - index_patterns: - - logs-github.code_scanning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.code_scanning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_dependabot: - index_sorting: false - index_template: - composed_of: - - logs-github.dependabot@package - - logs-github.dependabot@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.dependabot@custom - index_patterns: - - logs-github.dependabot-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.dependabot-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_issues: - index_sorting: false - index_template: - composed_of: - - logs-github.issues@package - - logs-github.issues@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.issues@custom - index_patterns: - - logs-github.issues-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.issues-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_secret_scanning: - index_sorting: false - index_template: - composed_of: - - logs-github.secret_scanning@package - - logs-github.secret_scanning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.secret_scanning@custom - index_patterns: - - logs-github.secret_scanning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.secret_scanning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_access_transparency: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.access_transparency@package - - logs-google_workspace.access_transparency@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.access_transparency@custom - index_patterns: - - logs-google_workspace.access_transparency-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.access_transparency-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_admin: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.admin@package - - logs-google_workspace.admin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.admin@custom - index_patterns: - - logs-google_workspace.admin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.admin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.alert@package - - logs-google_workspace.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.alert@custom - index_patterns: - - logs-google_workspace.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_context_aware_access: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.context_aware_access@package - - logs-google_workspace.context_aware_access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.context_aware_access@custom - index_patterns: - - logs-google_workspace.context_aware_access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.context_aware_access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_device: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.device@package - - logs-google_workspace.device@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.device@custom - index_patterns: - - logs-google_workspace.device-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.device-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_drive: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.drive@package - - logs-google_workspace.drive@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.drive@custom - index_patterns: - - logs-google_workspace.drive-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.drive-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_gcp: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.gcp@package - - logs-google_workspace.gcp@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.gcp@custom - index_patterns: - - logs-google_workspace.gcp-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.gcp-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_group_enterprise: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.group_enterprise@package - - logs-google_workspace.group_enterprise@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.group_enterprise@custom - index_patterns: - - logs-google_workspace.group_enterprise-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.group_enterprise-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_groups: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.groups@package - - logs-google_workspace.groups@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.groups@custom - index_patterns: - - logs-google_workspace.groups-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.groups-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_login: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.login@package - - logs-google_workspace.login@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.login@custom - index_patterns: - - logs-google_workspace.login-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.login-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_rules: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.rules@package - - logs-google_workspace.rules@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.rules@custom - index_patterns: - - logs-google_workspace.rules-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.rules-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_saml: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.saml@package - - logs-google_workspace.saml@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.saml@custom - index_patterns: - - logs-google_workspace.saml-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.saml-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_token: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.token@package - - logs-google_workspace.token@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.token@custom - index_patterns: - - logs-google_workspace.token-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.token-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_user_accounts: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.user_accounts@package - - logs-google_workspace.user_accounts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.user_accounts@custom - index_patterns: - - logs-google_workspace.user_accounts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.user_accounts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-http_endpoint_x_generic: index_sorting: false index_template: @@ -6795,1524 +2387,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-iis_x_access: - index_sorting: false - index_template: - composed_of: - - logs-iis.access@package - - logs-iis.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-iis.access@custom - index_patterns: - - logs-iis.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-iis.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-iis_x_error: - index_sorting: false - index_template: - composed_of: - - logs-iis.error@package - - logs-iis.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-iis.error@custom - index_patterns: - - logs-iis.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-iis.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-imperva_cloud_waf_x_event: - index_sorting: False - index_template: - ignore_missing_component_templates: - - logs-imperva_cloud_waf.event@custom - index_patterns: - - "logs-imperva_cloud_waf.event-*" - template: - settings: - index: - lifecycle: - name: so-logs-imperva_cloud_waf.event-logs - number_of_replicas: 0 - composed_of: - - "logs-imperva_cloud_waf.event@package" - - "logs-imperva_cloud_waf.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_srx_x_log: - index_sorting: false - index_template: - composed_of: - - logs-juniper_srx.log@package - - logs-juniper_srx.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper_srx.log@custom - index_patterns: - - logs-juniper_srx.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper_srx.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_junos: - index_sorting: false - index_template: - composed_of: - - logs-juniper.junos@package - - logs-juniper.junos@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.junos@custom - index_patterns: - - logs-juniper.junos-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.junos-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_netscreen: - index_sorting: false - index_template: - composed_of: - - logs-juniper.netscreen@package - - logs-juniper.netscreen@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.netscreen@custom - index_patterns: - - logs-juniper.netscreen-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.netscreen-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_srx: - index_sorting: false - index_template: - composed_of: - - logs-juniper.srx@package - - logs-juniper.srx@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.srx@custom - index_patterns: - - logs-juniper.srx-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.srx-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-kafka_log_x_generic: - index_sorting: false - index_template: - composed_of: - - logs-kafka_log.generic@package - - logs-kafka_log.generic@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-kafka_log.generic@custom - index_patterns: - - logs-kafka_log.generic-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-kafka_log.generic-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_detailed_shared_folder: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.detailed_shared_folder@package - - logs-lastpass.detailed_shared_folder@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.detailed_shared_folder@custom - index_patterns: - - logs-lastpass.detailed_shared_folder-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.detailed_shared_folder-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_event_report: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.event_report@package - - logs-lastpass.event_report@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.event_report@custom - index_patterns: - - logs-lastpass.event_report-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.event_report-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_user: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.user@package - - logs-lastpass.user@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.user@custom - index_patterns: - - logs-lastpass.user-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.user-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_event: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.event@package - - logs-m365_defender.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.event@custom - index_patterns: - - logs-m365_defender.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_incident: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.incident@package - - logs-m365_defender.incident@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.incident@custom - index_patterns: - - logs-m365_defender.incident-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.incident-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_log: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.log@package - - logs-m365_defender.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.log@custom - index_patterns: - - logs-m365_defender.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_defender_endpoint_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_defender_endpoint.log@package - - logs-microsoft_defender_endpoint.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_defender_endpoint.log@custom - index_patterns: - - logs-microsoft_defender_endpoint.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_defender_endpoint.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_dhcp_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_dhcp.log@package - - logs-microsoft_dhcp.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_dhcp.log@custom - index_patterns: - - logs-microsoft_dhcp.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_dhcp.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_sqlserver_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_sqlserver.audit@package - - logs-microsoft_sqlserver.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_sqlserver.audit@custom - index_patterns: - - logs-microsoft_sqlserver.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_sqlserver.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_sqlserver_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_sqlserver.log@package - - logs-microsoft_sqlserver.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_sqlserver.log@custom - index_patterns: - - logs-microsoft_sqlserver.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_sqlserver.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_audit_events: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.audit_events@package - - logs-mimecast.audit_events@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.audit_events@custom - index_patterns: - - logs-mimecast.audit_events-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.audit_events-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_dlp_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.dlp_logs@package - - logs-mimecast.dlp_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.dlp_logs@custom - index_patterns: - - logs-mimecast.dlp_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.dlp_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_siem_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.siem_logs@package - - logs-mimecast.siem_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.siem_logs@custom - index_patterns: - - logs-mimecast.siem_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.siem_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_threat_intel_malware_customer: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.threat_intel_malware_customer@package - - logs-mimecast.threat_intel_malware_customer@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.threat_intel_malware_customer@custom - index_patterns: - - logs-mimecast.threat_intel_malware_customer-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.threat_intel_malware_customer-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_threat_intel_malware_grid: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.threat_intel_malware_grid@package - - logs-mimecast.threat_intel_malware_grid@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.threat_intel_malware_grid@custom - index_patterns: - - logs-mimecast.threat_intel_malware_grid-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.threat_intel_malware_grid-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_ap_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_ap_logs@package - - logs-mimecast.ttp_ap_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_ap_logs@custom - index_patterns: - - logs-mimecast.ttp_ap_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_ap_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_ip_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_ip_logs@package - - logs-mimecast.ttp_ip_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_ip_logs@custom - index_patterns: - - logs-mimecast.ttp_ip_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_ip_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_url_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_url_logs@package - - logs-mimecast.ttp_url_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_url_logs@custom - index_patterns: - - logs-mimecast.ttp_url_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_url_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mysql_x_error: - index_sorting: false - index_template: - composed_of: - - logs-mysql.error@package - - logs-mysql.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mysql.error@custom - index_patterns: - - logs-mysql.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mysql.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mysql_x_slowlog: - index_sorting: false - index_template: - composed_of: - - logs-mysql.slowlog@package - - logs-mysql.slowlog@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mysql.slowlog@custom - index_patterns: - - logs-mysql.slowlog-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mysql.slowlog-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-netflow_x_log: - index_sorting: false - index_template: - composed_of: - - logs-netflow.log@package - - logs-netflow.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-netflow.log@custom - index_patterns: - - logs-netflow.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-netflow.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-nginx_x_access: - index_sorting: false - index_template: - composed_of: - - logs-nginx.access@package - - logs-nginx.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-nginx.access@custom - index_patterns: - - logs-nginx.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-nginx.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-nginx_x_error: - index_sorting: false - index_template: - composed_of: - - logs-nginx.error@package - - logs-nginx.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-nginx.error@custom - index_patterns: - - logs-nginx.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-nginx.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-o365_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-o365.audit@package - - logs-o365.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-o365.audit@custom - index_patterns: - - logs-o365.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-o365.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-okta_x_system: - index_sorting: false - index_template: - composed_of: - - logs-okta.system@package - - logs-okta.system@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-okta.system@custom - index_patterns: - - logs-okta.system-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-okta.system-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-osquery-manager-action_x_responses: index_sorting: false index_template: @@ -8349,696 +2423,6 @@ elasticsearch: settings: index: number_of_replicas: 0 - so-logs-panw_x_panos: - index_sorting: false - index_template: - composed_of: - - logs-panw.panos@package - - logs-panw.panos@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-panw.panos@custom - index_patterns: - - logs-panw.panos-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-panw.panos-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-pfsense_x_log: - index_sorting: false - index_template: - composed_of: - - logs-pfsense.log@package - - logs-pfsense.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-pfsense.log@custom - index_patterns: - - logs-pfsense.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-pfsense.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_clicks_blocked: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.clicks_blocked@package - - logs-proofpoint_tap.clicks_blocked@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.clicks_blocked@custom - index_patterns: - - logs-proofpoint_tap.clicks_blocked-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.clicks_blocked-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_clicks_permitted: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.clicks_permitted@package - - logs-proofpoint_tap.clicks_permitted@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.clicks_permitted@custom - index_patterns: - - logs-proofpoint_tap.clicks_permitted-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.clicks_permitted-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_message_blocked: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.message_blocked@package - - logs-proofpoint_tap.message_blocked@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.message_blocked@custom - index_patterns: - - logs-proofpoint_tap.message_blocked-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.message_blocked-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_message_delivered: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.message_delivered@package - - logs-proofpoint_tap.message_delivered@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.message_delivered@custom - index_patterns: - - logs-proofpoint_tap.message_delivered-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.message_delivered-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-pulse_connect_secure_x_log: - index_sorting: false - index_template: - composed_of: - - logs-pulse_connect_secure.log@package - - logs-pulse_connect_secure.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-pulse_connect_secure.log@custom - index_patterns: - - logs-pulse_connect_secure.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-pulse_connect_secure.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_activity: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.activity@package - - logs-sentinel_one.activity@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.activity@custom - index_patterns: - - logs-sentinel_one.activity-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.activity-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_agent: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.agent@package - - logs-sentinel_one.agent@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.agent@custom - index_patterns: - - logs-sentinel_one.agent-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.agent-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.alert@package - - logs-sentinel_one.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.alert@custom - index_patterns: - - logs-sentinel_one.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_group: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.group@package - - logs-sentinel_one.group@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.group@custom - index_patterns: - - logs-sentinel_one.group-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.group-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.threat@package - - logs-sentinel_one.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.threat@custom - index_patterns: - - logs-sentinel_one.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snort_x_log: - index_sorting: false - index_template: - composed_of: - - logs-snort.log@package - - logs-snort.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snort.log@custom - index_patterns: - - logs-snort.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snort.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snyk_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-snyk.audit@package - - logs-snyk.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snyk.audit@custom - index_patterns: - - logs-snyk.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snyk.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snyk_x_vulnerabilities: - index_sorting: false - index_template: - composed_of: - - logs-snyk.vulnerabilities@package - - logs-snyk.vulnerabilities@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snyk.vulnerabilities@custom - index_patterns: - - logs-snyk.vulnerabilities-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snyk.vulnerabilities-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-soc: close: 30 delete: 365 @@ -9147,282 +2531,6 @@ elasticsearch: priority: 50 min_age: 30d warm: 7 - so-logs-sonicwall_firewall_x_log: - index_sorting: false - index_template: - composed_of: - - logs-sonicwall_firewall.log@package - - logs-sonicwall_firewall.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sonicwall_firewall.log@custom - index_patterns: - - logs-sonicwall_firewall.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sonicwall_firewall.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_central_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-sophos_central.alert@package - - logs-sophos_central.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos_central.alert@custom - index_patterns: - - logs-sophos_central.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos_central.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_central_x_event: - index_sorting: false - index_template: - composed_of: - - logs-sophos_central.event@package - - logs-sophos_central.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos_central.event@custom - index_patterns: - - logs-sophos_central.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos_central.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_x_utm: - index_sorting: false - index_template: - composed_of: - - logs-sophos.utm@package - - logs-sophos.utm@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos.utm@custom - index_patterns: - - logs-sophos.utm-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos.utm-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_x_xg: - index_sorting: false - index_template: - composed_of: - - logs-sophos.xg@package - - logs-sophos.xg@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos.xg@custom - index_patterns: - - logs-sophos.xg-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos.xg-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-symantec_endpoint_x_log: - index_sorting: false - index_template: - composed_of: - - logs-symantec_endpoint.log@package - - logs-symantec_endpoint.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-symantec_endpoint.log@custom - index_patterns: - - logs-symantec_endpoint.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-symantec_endpoint.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-system_x_application: index_sorting: false index_template: @@ -9663,1286 +2771,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-tenable_io_x_asset: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.asset-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.asset-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.asset@package" - - "logs-tenable_io.asset@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.asset@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_plugin: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.plugin-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.plugin-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.plugin@package" - - "logs-tenable_io.plugin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.plugin@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_scan: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.scan-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.scan-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.scan@package" - - "logs-tenable_io.scan@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.scan@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_vulnerability: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.vulnerability-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.vulnerability-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.vulnerability@package" - - "logs-tenable_io.vulnerability@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.vulnerability@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_asset: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.asset@package - - logs-tenable_sc.asset@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.asset@custom - index_patterns: - - logs-tenable_sc.asset-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.asset-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_plugin: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.plugin@package - - logs-tenable_sc.plugin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.plugin@custom - index_patterns: - - logs-tenable_sc.plugin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.plugin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_vulnerability: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.vulnerability@package - - logs-tenable_sc.vulnerability@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.vulnerability@custom - index_patterns: - - logs-tenable_sc.vulnerability-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.vulnerability-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_malware: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.malware@package - - logs-ti_abusech.malware@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.malware@custom - index_patterns: - - logs-ti_abusech.malware-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.malware-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_malwarebazaar: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.malwarebazaar@package - - logs-ti_abusech.malwarebazaar@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.malwarebazaar@custom - index_patterns: - - logs-ti_abusech.malwarebazaar-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.malwarebazaar-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_threatfox: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.threatfox@package - - logs-ti_abusech.threatfox@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.threatfox@custom - index_patterns: - - logs-ti_abusech.threatfox-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.threatfox-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_url: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.url@package - - logs-ti_abusech.url@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.url@custom - index_patterns: - - logs-ti_abusech.url-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.url-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_anomali_x_threatstream: - index_sorting: false - index_template: - composed_of: - - logs-ti_anomali.threatstream@package - - logs-ti_anomali.threatstream@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_anomali.threatstream@custom - index_patterns: - - logs-ti_anomali.threatstream-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_anomali.threatstream-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_cybersixgill_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_cybersixgill.threat@package - - logs-ti_cybersixgill.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_cybersixgill.threat@custom - index_patterns: - - logs-ti_cybersixgill.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_cybersixgill.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_misp_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_misp.threat@package - - logs-ti_misp.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_misp.threat@custom - index_patterns: - - logs-ti_misp.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_misp.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_misp_x_threat_attributes: - index_sorting: false - index_template: - composed_of: - - logs-ti_misp.threat_attributes@package - - logs-ti_misp.threat_attributes@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_misp.threat_attributes@custom - index_patterns: - - logs-ti_misp.threat_attributes-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_misp.threat_attributes-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_otx_x_pulses_subscribed: - index_sorting: false - index_template: - composed_of: - - logs-ti_otx.pulses_subscribed@package - - logs-ti_otx.pulses_subscribed@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_otx.pulses_subscribed@custom - index_patterns: - - logs-ti_otx.pulses_subscribed-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_otx.pulses_subscribed-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_otx_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_otx.threat@package - - logs-ti_otx.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_otx.threat@custom - index_patterns: - - logs-ti_otx.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_otx.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.alert@package - - logs-ti_rapid7_threat_command.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.alert@custom - index_patterns: - - logs-ti_rapid7_threat_command.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_ioc: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.ioc@package - - logs-ti_rapid7_threat_command.ioc@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.ioc@custom - index_patterns: - - logs-ti_rapid7_threat_command.ioc-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.ioc-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_vulnerability: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.vulnerability@package - - logs-ti_rapid7_threat_command.vulnerability@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.vulnerability@custom - index_patterns: - - logs-ti_rapid7_threat_command.vulnerability-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.vulnerability-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_recordedfuture_x_latest_ioc-template: - index_sorting: false - index_template: - composed_of: - - logs-ti_recordedfuture.latest_ioc-template@package - - logs-ti_recordedfuture.latest_ioc-template@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_recordedfuture.latest_ioc-template@custom - index_patterns: - - logs-ti_recordedfuture.latest_ioc-template-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_recordedfuture.latest_ioc-template-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_recordedfuture_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_recordedfuture.threat@package - - logs-ti_recordedfuture.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_recordedfuture.threat@custom - index_patterns: - - logs-ti_recordedfuture.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_recordedfuture.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_threatq_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_threatq.threat@package - - logs-ti_threatq.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_threatq.threat@custom - index_patterns: - - logs-ti_threatq.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_threatq.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-trend_micro_vision_one.alert@package" - - "logs-trend_micro_vision_one.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.alert@custom" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.audit-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.audit@custom" - composed_of: - - "logs-trend_micro_vision_one.audit@package" - - "logs-trend_micro_vision_one.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_detection: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.detection-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.detection@custom" - composed_of: - - "logs-trend_micro_vision_one.detection@package" - - "logs-trend_micro_vision_one.detection@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trendmicro_x_deep_security: - index_sorting: False - index_template: - index_patterns: - - "logs-trendmicro.deep_security-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trendmicro.deep_security@custom" - composed_of: - - "logs-trendmicro.deep_security@package" - - "logs-trendmicro.deep_security@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-vsphere_x_log: - index_sorting: false - index_template: - composed_of: - - logs-vsphere.log@package - - logs-vsphere.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-vsphere.log@custom - index_patterns: - - logs-vsphere.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-vsphere.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-windows_x_forwarded: index_sorting: false index_template: @@ -11174,466 +3002,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-zscaler_zia_x_alerts: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.alerts@package - - logs-zscaler_zia.alerts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.alerts@custom - index_patterns: - - logs-zscaler_zia.alerts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.alerts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_dns: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.dns@package - - logs-zscaler_zia.dns@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.dns@custom - index_patterns: - - logs-zscaler_zia.dns-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.dns-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.firewall@package - - logs-zscaler_zia.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.firewall@custom - index_patterns: - - logs-zscaler_zia.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_tunnel: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.tunnel@package - - logs-zscaler_zia.tunnel@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.tunnel@custom - index_patterns: - - logs-zscaler_zia.tunnel-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.tunnel-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_web: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.web@package - - logs-zscaler_zia.web@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.web@custom - index_patterns: - - logs-zscaler_zia.web-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.web-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_app_connector_status: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.app_connector_status@package - - logs-zscaler_zpa.app_connector_status@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.app_connector_status@custom - index_patterns: - - logs-zscaler_zpa.app_connector_status-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.app_connector_status-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.audit@package - - logs-zscaler_zpa.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.audit@custom - index_patterns: - - logs-zscaler_zpa.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_browser_access: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.browser_access@package - - logs-zscaler_zpa.browser_access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.browser_access@custom - index_patterns: - - logs-zscaler_zpa.browser_access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.browser_access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_user_activity: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.user_activity@package - - logs-zscaler_zpa.user_activity@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.user_activity@custom - index_patterns: - - logs-zscaler_zpa.user_activity-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.user_activity-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_user_status: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.user_status@package - - logs-zscaler_zpa.user_status@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.user_status@custom - index_patterns: - - logs-zscaler_zpa.user_status-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.user_status-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logstash: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 88ea45b89..0d5d0ea28 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -358,160 +358,9 @@ elasticsearch: so-logs-windows_x_powershell_operational: *indexSettings so-logs-windows_x_sysmon_operational: *indexSettings so-logs-winlog_x_winlog: *indexSettings - so-logs-apache_x_access: *indexSettings - so-logs-apache_x_error: *indexSettings - so-logs-auditd_x_log: *indexSettings - so-logs-aws_x_cloudtrail: *indexSettings - so-logs-aws_x_cloudwatch_logs: *indexSettings - so-logs-aws_x_ec2_logs: *indexSettings - so-logs-aws_x_elb_logs: *indexSettings - so-logs-aws_x_firewall_logs: *indexSettings - so-logs-aws_x_route53_public_logs: *indexSettings - so-logs-aws_x_route53_resolver_logs: *indexSettings - so-logs-aws_x_s3access: *indexSettings - so-logs-aws_x_vpcflow: *indexSettings - so-logs-aws_x_waf: *indexSettings - so-logs-azure_x_activitylogs: *indexSettings - so-logs-azure_x_application_gateway: *indexSettings - so-logs-azure_x_auditlogs: *indexSettings - so-logs-azure_x_eventhub: *indexSettings - so-logs-azure_x_firewall_logs: *indexSettings - so-logs-azure_x_identity_protection: *indexSettings - so-logs-azure_x_platformlogs: *indexSettings - so-logs-azure_x_provisioning: *indexSettings - so-logs-azure_x_signinlogs: *indexSettings - so-logs-azure_x_springcloudlogs: *indexSettings - so-logs-barracuda_x_waf: *indexSettings - so-logs-barracuda_cloudgen_firewall_x_log: *indexSettings - so-logs-cef_x_log: *indexSettings - so-logs-cisco_asa_x_log: *indexSettings - so-logs-cisco_ftd_x_log: *indexSettings - so-logs-cisco_ios_x_log: *indexSettings - so-logs-cisco_ise_x_log: *indexSettings - so-logs-citrix_adc_x_interface: *indexSettings - so-logs-citrix_adc_x_lbvserver: *indexSettings - so-logs-citrix_adc_x_service: *indexSettings - so-logs-citrix_adc_x_system: *indexSettings - so-logs-citrix_adc_x_vpn: *indexSettings - so-logs-citrix_waf_x_log: *indexSettings - so-logs-cloudflare_x_audit: *indexSettings - so-logs-cloudflare_x_logpull: *indexSettings - so-logs-crowdstrike_x_alert: *indexSettings - so-logs-crowdstrike_x_falcon: *indexSettings - so-logs-crowdstrike_x_fdr: *indexSettings - so-logs-crowdstrike_x_host: *indexSettings - so-logs-darktrace_x_ai_analyst_alert: *indexSettings - so-logs-darktrace_x_model_breach_alert: *indexSettings - so-logs-darktrace_x_system_status_alert: *indexSettings so-logs-detections_x_alerts: *indexSettings - so-logs-f5_bigip_x_log: *indexSettings - so-logs-fim_x_event: *indexSettings - so-logs-fortinet_x_clientendpoint: *indexSettings - so-logs-fortinet_x_firewall: *indexSettings - so-logs-fortinet_x_fortimail: *indexSettings - so-logs-fortinet_x_fortimanager: *indexSettings - so-logs-fortinet_x_fortigate: *indexSettings - so-logs-gcp_x_audit: *indexSettings - so-logs-gcp_x_dns: *indexSettings - so-logs-gcp_x_firewall: *indexSettings - so-logs-gcp_x_loadbalancing_logs: *indexSettings - so-logs-gcp_x_vpcflow: *indexSettings - so-logs-github_x_audit: *indexSettings - so-logs-github_x_code_scanning: *indexSettings - so-logs-github_x_dependabot: *indexSettings - so-logs-github_x_issues: *indexSettings - so-logs-github_x_secret_scanning: *indexSettings - so-logs-google_workspace_x_access_transparency: *indexSettings - so-logs-google_workspace_x_admin: *indexSettings - so-logs-google_workspace_x_alert: *indexSettings - so-logs-google_workspace_x_context_aware_access: *indexSettings - so-logs-google_workspace_x_device: *indexSettings - so-logs-google_workspace_x_drive: *indexSettings - so-logs-google_workspace_x_gcp: *indexSettings - so-logs-google_workspace_x_group_enterprise: *indexSettings - so-logs-google_workspace_x_groups: *indexSettings - so-logs-google_workspace_x_login: *indexSettings - so-logs-google_workspace_x_rules: *indexSettings - so-logs-google_workspace_x_saml: *indexSettings - so-logs-google_workspace_x_token: *indexSettings - so-logs-google_workspace_x_user_accounts: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings - so-logs-iis_x_access: *indexSettings - so-logs-iis_x_error: *indexSettings - so-logs-imperva_cloud_waf_x_event: *indexSettings - so-logs-juniper_x_junos: *indexSettings - so-logs-juniper_x_netscreen: *indexSettings - so-logs-juniper_x_srx: *indexSettings - so-logs-juniper_srx_x_log: *indexSettings - so-logs-kafka_log_x_generic: *indexSettings - so-logs-lastpass_x_detailed_shared_folder: *indexSettings - so-logs-lastpass_x_event_report: *indexSettings - so-logs-lastpass_x_user: *indexSettings - so-logs-m365_defender_x_event: *indexSettings - so-logs-m365_defender_x_incident: *indexSettings - so-logs-m365_defender_x_log: *indexSettings - so-logs-microsoft_defender_endpoint_x_log: *indexSettings - so-logs-microsoft_dhcp_x_log: *indexSettings - so-logs-microsoft_sqlserver_x_audit: *indexSettings - so-logs-microsoft_sqlserver_x_log: *indexSettings - so-logs-mysql_x_error: *indexSettings - so-logs-mysql_x_slowlog: *indexSettings - so-logs-netflow_x_log: *indexSettings - so-logs-nginx_x_access: *indexSettings - so-logs-nginx_x_error: *indexSettings - so-logs-o365_x_audit: *indexSettings - so-logs-okta_x_system: *indexSettings - so-logs-panw_x_panos: *indexSettings - so-logs-pfsense_x_log: *indexSettings - so-logs-proofpoint_tap_x_clicks_blocked: *indexSettings - so-logs-proofpoint_tap_x_clicks_permitted: *indexSettings - so-logs-proofpoint_tap_x_message_blocked: *indexSettings - so-logs-proofpoint_tap_x_message_delivered: *indexSettings - so-logs-sentinel_one_x_activity: *indexSettings - so-logs-sentinel_one_x_agent: *indexSettings - so-logs-sentinel_one_x_alert: *indexSettings - so-logs-sentinel_one_x_group: *indexSettings - so-logs-sentinel_one_x_threat: *indexSettings - so-logs-sonicwall_firewall_x_log: *indexSettings - so-logs-snort_x_log: *indexSettings - so-logs-symantec_endpoint_x_log: *indexSettings - so-logs-tenable_io_x_asset: *indexSettings - so-logs-tenable_io_x_plugin: *indexSettings - so-logs-tenable_io_x_scan: *indexSettings - so-logs-tenable_io_x_vulnerability: *indexSettings - so-logs-tenable_sc_x_asset: *indexSettings - so-logs-tenable_sc_x_plugin: *indexSettings - so-logs-tenable_sc_x_vulnerability: *indexSettings - so-logs-ti_abusech_x_malware: *indexSettings - so-logs-ti_abusech_x_malwarebazaar: *indexSettings - so-logs-ti_abusech_x_threatfox: *indexSettings - so-logs-ti_abusech_x_url: *indexSettings - so-logs-ti_anomali_x_threatstream: *indexSettings - so-logs-ti_cybersixgill_x_threat: *indexSettings - so-logs-ti_misp_x_threat: *indexSettings - so-logs-ti_misp_x_threat_attributes: *indexSettings - so-logs-ti_otx_x_pulses_subscribed: *indexSettings - so-logs-ti_otx_x_threat: *indexSettings - so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings - so-logs-ti_recordedfuture_x_threat: *indexSettings - so-logs-ti_threatq_x_threat: *indexSettings - so-logs-trend_micro_vision_one_x_alert: *indexSettings - so-logs-trend_micro_vision_one_x_audit: *indexSettings - so-logs-trend_micro_vision_one_x_detection: *indexSettings - so-logs-trendmicro_x_deep_security: *indexSettings - so-logs-zscaler_zia_x_alerts: *indexSettings - so-logs-zscaler_zia_x_dns: *indexSettings - so-logs-zscaler_zia_x_firewall: *indexSettings - so-logs-zscaler_zia_x_tunnel: *indexSettings - so-logs-zscaler_zia_x_web: *indexSettings - so-logs-zscaler_zpa_x_app_connector_status: *indexSettings - so-logs-zscaler_zpa_x_audit: *indexSettings - so-logs-zscaler_zpa_x_browser_access: *indexSettings - so-logs-zscaler_zpa_x_user_activity: *indexSettings - so-logs-zscaler_zpa_x_user_status: *indexSettings - so-logs-1password_x_item_usages: *indexSettings - so-logs-1password_x_signin_attempts: *indexSettings so-logs-osquery-manager-actions: *indexSettings so-logs-osquery-manager-action_x_responses: *indexSettings so-logs-elastic_agent_x_apm_server: *indexSettings @@ -537,6 +386,9 @@ elasticsearch: so-metrics-endpoint_x_metrics: *indexSettings so-metrics-endpoint_x_policy: *indexSettings so-metrics-nginx_x_stubstatus: *indexSettings + so-metrics-vsphere_x_datastore: *indexSettings + so-metrics-vsphere_x_host: *indexSettings + so-metrics-vsphere_x_virtualmachine: *indexSettings so-case: *indexSettings so-common: *indexSettings so-endgame: *indexSettings From e3b7d82a8f5c3466ff77902f25c78f28c3b9ebba Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 3 Dec 2024 08:56:56 -0600 Subject: [PATCH 02/38] remove all non-core integrations from elasticfleet:packages pillar --- salt/elasticfleet/defaults.yaml | 75 --------------------------------- 1 file changed, 75 deletions(-) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 2f237cac1..41c50a96d 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -32,95 +32,20 @@ elasticfleet: - stderr - stdout packages: - - apache - - auditd - - auth0 - - aws - - azure - - barracuda - - barracuda_cloudgen_firewall - - carbonblack_edr - - cef - - checkpoint - - cisco_asa - - cisco_duo - - cisco_ftd - - cisco_ios - - cisco_ise - - cisco_meraki - - cisco_secure_email_gateway - - cisco_umbrella - - citrix_adc - - citrix_waf - - cloudflare - - crowdstrike - - darktrace - elastic_agent - elasticsearch - endpoint - - f5_bigip - - fim - - fireeye - fleet_server - - fortinet - - fortinet_fortigate - - gcp - - github - - google_workspace - http_endpoint - httpjson - - iis - - imperva_cloud_waf - - journald - - juniper - - juniper_srx - - kafka_log - - lastpass - log - - m365_defender - - microsoft_defender_endpoint - - microsoft_dhcp - - microsoft_sqlserver - - mimecast - - mysql - - netflow - - nginx - - o365 - - okta - osquery_manager - - panw - - pfsense - - proofpoint_tap - - pulse_connect_secure - redis - - sentinel_one - - snort - - snyk - - sonicwall_firewall - - sophos - - sophos_central - - symantec_endpoint - system - tcp - - tenable_io - - tenable_sc - - ti_abusech - - ti_anomali - - ti_cybersixgill - - ti_misp - - ti_otx - - ti_rapid7_threat_command - - ti_recordedfuture - - ti_threatq - - trendmicro - - trend_micro_vision_one - udp - - vsphere - windows - winlog - - zscaler_zia - - zscaler_zpa - - 1password optional_integrations: sublime_platform: enabled_nodes: [] From ecf094f68494b9114b6692064b3e1b9798f314c6 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 26 Dec 2024 16:18:04 -0600 Subject: [PATCH 03/38] WIP: support all es fleet integrations Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- ...o-elastic-fleet-optional-integrations-load | 102 ++++++++++++++++ salt/elasticfleet/defaults.yaml | 1 + .../integration-defaults.map.jinja | 78 +++++++++++++ salt/elasticfleet/integration-defaults.yaml | 46 ++++++++ salt/elasticfleet/soc_elasticfleet.yaml | 5 + .../tools/sbin/so-elastic-fleet-common | 9 ++ .../tools/sbin/so-elastic-fleet-package-list | 2 +- .../integration-templates.map.jinja | 110 ++++++++++++++++++ salt/elasticsearch/template.map.jinja | 9 ++ 9 files changed, 361 insertions(+), 1 deletion(-) create mode 100644 salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load create mode 100644 salt/elasticfleet/integration-defaults.map.jinja create mode 100644 salt/elasticfleet/integration-defaults.yaml create mode 100644 salt/elasticsearch/integration-templates.map.jinja diff --git a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load b/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load new file mode 100644 index 000000000..d94b006ad --- /dev/null +++ b/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load @@ -0,0 +1,102 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + +. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common + +# Check that /opt/so/state/estemplates.txt exists to signal that Elasticsearch +# has completed its first run of core-only integrations/indices/components/ilm +STATE_FILE_SUCCESS=/opt/so/state/estemplates.txt +INSTALLED_PACKAGE_LIST=/tmp/esfleet_installed_packages.json +BULK_INSTALL_PACKAGE_LIST=/tmp/esfleet_bulk_install.json +BULK_INSTALL_PACKAGE_TMP=/tmp/esfleet_bulk_install_tmp.json +PACKAGE_COMPONENTS=/opt/so/state/esfleet_package_components.json + +SKIP_SUBSCRIPTION=true +PENDING_UPDATE=false + +version_conversion(){ + version=$1 + echo "$version" | awk -F '.' '{ printf("%d%03d%03d\n", $1, $2, $3); }' +} + +compare_versions() { + version1=$1 + version2=$2 + + # Convert versions to numbers + num1=$(version_conversion "$version1") + num2=$(version_conversion "$version2") + + # Compare using bc + if (( $(echo "$num1 < $num2" | bc -l) )); then + echo "less" + elif (( $(echo "$num1 > $num2" | bc -l) )); then + echo "greater" + else + echo "equal" + fi +} + +if [[ -f $STATE_FILE_SUCCESS ]]; then + if retry 3 1 "curl -s -K /opt/so/conf/elasticsearch/curl.config --output /dev/null --silent --head --fail localhost:5601/api/fleet/epm/packages"; then + # Package_list contains all NON-beta integrations. + latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list) + echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST + rm -f $INSTALLED_PACKAGE_LIST + echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST + + cat "$INSTALLED_PACKAGE_LIST" | jq -c '.packages[]' | while read -r package; do + # get package details + package_name=$(echo "$package" | jq -r '.name') + latest_version=$(echo "$package" | jq -r '.latest_version') + installed_version=$(echo "$package" | jq -r '.installed_version') + subscription=$(echo "$package" | jq -r '.subscription') + bulk_package=$(echo "$package" | jq '{name: .name, version: .latest_version}' ) + + if [ $SKIP_SUBSCRIPTION ] && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then + # pass over integrations that require non-basic elastic license + continue + else + if [ -n "$installed_version" ]; then + results=$(compare_versions "$latest_version" "$installed_version") + if [ $results == "greater" ]; then + echo "$package_name is not up to date... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + PENDING_UPDATE=true + fi + else + echo "$package_name is not installed... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + PENDING_UPDATE=true + fi + fi + done + + if [ $PENDING_UPDATE ]; then + # Run bulk install of packages + # elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + + # Write out file for generating index/component/ilm templates + latest_installed_package_list=$(elastic_fleet_installed_packages) + echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS + + else + echo "Elastic integrations don't appear to need installation/updating..." + exit 0 + fi + + else + # This is the installation of add-on integrations and upgrade of existing integrations. Exiting without error, next highstate will attempt to re-run. + echo "Elastic Fleet does not appear to be responding... Exiting... " + exit 0 + fi +else + # This message will appear when an update to core integration is made and this script is run at the same time as + # elasticsearch.enabled -> detects change to core index settings -> deletes estemplates.txt + echo "Elasticsearch may not be fully configured yet or is currently updating core index settings." + exit 0 +fi diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 41c50a96d..a0f509136 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -10,6 +10,7 @@ elasticfleet: grid_enrollment: '' defend_filters: enable_auto_configuration: False + subscription_integrations: False logging: zeek: excluded: diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja new file mode 100644 index 000000000..9977856c4 --- /dev/null +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -0,0 +1,78 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use + this file except in compliance with the Elastic License 2.0. #} + + +{% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} +{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} + +{% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} +{% set ADDON_INTEGRATION_DEFAULTS = {} %} + +{% for pkg in ADDON_PACKAGE_COMPONENTS %} +{% if pkg.name in CORE_ESFLEET_PACKAGES %} +{# skip core integrations #} +{% elif pkg.name not in CORE_ESFLEET_PACKAGES %} +{# generate defaults for each integration #} +{% if pkg.es_index_patterns is defined and pkg.es_index_patterns is not none %} +{% for pattern in pkg.es_index_patterns %} +{% set integration_key = "so-logs-" ~ pkg.name ~ "_x_" ~ pattern.title %} +{% set integration_defaults = { + "index_sorting": false, + "index_template": { + "composed_of": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@package", "logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "data_stream": { + "hidden": false, + "allow_custom_routing": false + }, + "ignore_missing_component_templates": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom"], + "index_patterns": [pattern.name], + "priority": 501, + "template": { + "settings": { + "index": { + "lifecycle": {"name": "so-logs-" ~ pkg.name ~ "." ~ pattern.title ~ "-logs"}, + "number_of_replicas": 0 + } + } + } + }, + "policy": { + "phases": { + "cold": { + "actions": { + "set_priority": {"priority": 0} + }, + "min_age": "60d" + }, + "delete": { + "actions": { + "delete": {} + }, + "min_age": "365d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + }, + "set_priority": {"priority": 100} + }, + "min_age": "0ms" + }, + "warm": { + "actions": { + "set_priority": {"priority": 50} + }, + "min_age": "30d" + } + } + } + } %} +{% do ADDON_INTEGRATION_DEFAULTS.update({integration_key: integration_defaults}) %} +{% endfor %} +{% endif %} +{% endif %} +{% endfor %} \ No newline at end of file diff --git a/salt/elasticfleet/integration-defaults.yaml b/salt/elasticfleet/integration-defaults.yaml new file mode 100644 index 000000000..98bbd13b7 --- /dev/null +++ b/salt/elasticfleet/integration-defaults.yaml @@ -0,0 +1,46 @@ +so-logs-INTPLACEHOLDER_x_COMPLACEHOLDER: + index_sorting: False + index_template: + composed_of: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@package" + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_COMPLACEHOLDER_templates: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" + index_patterns: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER-*" + priority: 501 + template: + settings: + index: + lifecycle: + name: "so-logs-INTPLACEHOLDER.COMPLACEHOLDER-logs" + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: "60d" + delete: + actions: + delete: {} + min_age: "365d" + hot: + actions: + rollover: + max_age: "30d" + max_primary_shard_size: "50gb" + set_priority: + priority: 100 + min_age: "0ms" + warm: + actions: + set_priority: + priority: 50 + min_age: "30d" \ No newline at end of file diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 0b32628ea..7ca59401f 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -40,6 +40,11 @@ elasticfleet: global: True helpLink: elastic-fleet.html advanced: True + subscription_integrations: + description: Enable the installation of integrations that require an Elastic license. + global: True + forcedType: bool + helpLink: elastic-fleet.html server: custom_fqdn: description: Custom FQDN for Agents to connect to. One per line. diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index 296e578fc..7e1e4b790 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -97,11 +97,20 @@ elastic_fleet_package_install() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION" } +elastic_fleet_bulk_package_install() { + BULK_PKG_LIST=$1 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@$1 "localhost:5601/api/fleet/epm/packages/_bulk" +} + elastic_fleet_package_is_installed() { PACKAGE=$1 curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.status' } +elastic_fleet_installed_packages() { + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' -H 'Content-Type: application/json' "localhost:5601/api/fleet/epm/packages/installed?perPage=300" +} + elastic_fleet_agent_policy_ids() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq -r .items[].id if [ $? -ne 0 ]; then diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list index 7e68c6e83..a52920a42 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list @@ -10,6 +10,6 @@ SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # List configured package policies -curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages?prerelease=true" -H 'kbn-xsrf: true' | jq echo diff --git a/salt/elasticsearch/integration-templates.map.jinja b/salt/elasticsearch/integration-templates.map.jinja new file mode 100644 index 000000000..59a9222c5 --- /dev/null +++ b/salt/elasticsearch/integration-templates.map.jinja @@ -0,0 +1,110 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{% set packages = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} +{% set INTEGRATION_INDEX_SETTINGS = {} %} + + +{% set default_settings = { + 'index_sorting': false, + 'index_template': { + 'data_stream': { + 'allow_custom_routing': false, + 'hidden': false + }, + 'priority': 501, + 'template': { + 'settings': { + 'index': { + 'number_of_replicas': 0 + } + } + } + }, + 'policy': { + 'phases': { + 'cold': { + 'actions': { + 'set_priority': { + 'priority': 0 + } + }, + 'min_age': '60d' + }, + 'delete': { + 'actions': { + 'delete': {} + }, + 'min_age': '365d' + }, + 'hot': { + 'actions': { + 'rollover':{ + 'max_age': '30d', + 'max_primary_shard_size': '50gb' + }, + 'set_priority': { + 'priority': 100 + } + }, + 'min_age': '0ms' + }, + 'warm': { + 'actions': { + 'set_priority': { + 'priority': 50 + } + }, + 'min_age': '30d' + } + } + } +} %} + +{# Create template for each package component from elasticfleet/defaults.yaml #} +{% for package in packages %} + {% for pkg_name, components in package.items() %} + {% if components is not none %} + {% for component in components %} + {% set component_dot = component.replace('_x_', '.') %} + {% set template_name = 'so-logs-' ~ component %} + + {% set template = { + 'index_sorting': default_settings.index_sorting, + 'index_template': { + 'composed_of': [ + 'logs-' ~ component_dot ~ '@package', + 'logs-' ~ component_dot ~ '@custom', + 'so-fleet-_globals-1', + 'so-fleet_agent_id_verification-1' + ], + 'data_stream': default_settings.index_template.data_stream, + 'ignore_missing_component_templates': [ + 'logs-' ~ component_dot ~ '@custom' + ], + 'index_patterns': [ + 'logs-' ~ component_dot ~ '-*' + ], + 'priority': default_settings.index_template.priority, + 'template': { + 'settings': { + 'index': { + 'lifecycle': { + 'name': 'so-logs-' ~ component_dot ~ '-logs' + }, + 'number_of_replicas': default_settings.index_template.template.settings.index.number_of_replicas + } + } + } + }, + 'policy': default_settings.policy + } %} + + {% do INTEGRATION_INDEX_SETTINGS.update({template_name: template}) %} + {% endfor %} + {% endif %} + {% endfor %} +{% endfor %} \ No newline at end of file diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index 507ea533d..c53349f18 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -14,6 +14,15 @@ {% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %} +{# start generation of integration default index_settings #} +{% if salt['file.file_exists']('/opt/so/state/estemplates.txt') %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} +{% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} +{% endfor %} +{% endif %} +{# end generation of integration default index_settings #} + {% set ES_INDEX_SETTINGS_GLOBAL_OVERRIDES = {} %} {% for index in ES_INDEX_SETTINGS_ORIG.keys() %} {% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ELASTICSEARCHDEFAULTS.elasticsearch.index_settings[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %} From cdd4a1ff1fb6b6fc2c7b95651593746713d8b795 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 3 Jan 2025 16:06:22 -0600 Subject: [PATCH 04/38] fixes addon integration map file Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- .../integration-defaults.map.jinja | 66 ++++++- ...o-elastic-fleet-optional-integrations-load | 2 +- salt/elasticsearch/defaults.yaml | 184 ------------------ salt/elasticsearch/enabled.sls | 11 +- .../integration-templates.map.jinja | 110 ----------- salt/elasticsearch/template.map.jinja | 2 +- 6 files changed, 70 insertions(+), 305 deletions(-) rename salt/{elastic-fleet-package-registry/tools => elasticfleet/tools/sbin}/so-elastic-fleet-optional-integrations-load (98%) delete mode 100644 salt/elasticsearch/integration-templates.map.jinja diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 9977856c4..0de400b26 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -10,6 +10,44 @@ {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} +{# Some fleet integrations don't follow the standard naming convention #} +{% set WEIRD_INTEGRATIONS = { + 'awsfirehose.logs': 'awsfirehose', + 'cribl.logs': 'cribl', + 'sentinel_one_cloud_funnel.logins': 'sentinel_one_cloud_funnel.login', + 'azure_application_insights.app_insights': 'azure.app_insights', + 'azure_application_insights.app_state': 'azure.app_state', + 'azure_billing.billing': 'azure.billing', + 'azure_functions.metrics': 'azure.function', + 'azure_metrics.compute_vm_scaleset': 'azure.compute_vm_scaleset', + 'azure_metrics.compute_vm': 'azure.compute_vm', + 'azure_metrics.container_instance': 'azure.container_instance', + 'azure_metrics.container_registry': 'azure.container_registry', + 'azure_metrics.container_service': 'azure.container_service', + 'azure_metrics.database_account': 'azure.database_account', + 'azure_metrics.monitor': 'azure.monitor', + 'azure_metrics.storage_account': 'azure.storage_account', + 'azure_openai.metrics': 'azure.open_ai', + 'beat.state': 'beats.stack_monitoring.state', + 'beat.stats': 'beats.stack_monitoring.stats', + 'enterprisesearch.health': 'enterprisesearch.stack_monitoring.health', + 'enterprisesearch.stats': 'enterprisesearch.stack_monitoring.stats', + 'kibana.cluster_actions': 'kibana.stack_monitoring.cluster_actions', + 'kibana.cluster_rules': 'kibana.stack_monitoring.cluster_rules', + 'kibana.node_actions': 'kibana.stack_monitoring.node_actions', + 'kibana.node_rules': 'kibana.stack_monitoring.node_rules', + 'kibana.stats': 'kibana.stack_monitoring.stats', + 'kibana.status': 'kibana.stack_monitoring.status', + 'logstash.node_cel': 'logstash.stack_monitoring.node', + 'logstash.node_stats': 'logstash.stack_monitoring.node_stats', + 'synthetics.browser': 'synthetics-browser', + 'synthetics.browser_network': 'synthetics-browser.network', + 'synthetics.browser_screenshot': 'synthetics-browser.screenshot', + 'synthetics.http': 'synthetics-http', + 'synthetics.icmp': 'synthetics-icmp', + 'synthetics.tcp': 'synthetics-tcp' + } %} + {% for pkg in ADDON_PACKAGE_COMPONENTS %} {% if pkg.name in CORE_ESFLEET_PACKAGES %} {# skip core integrations #} @@ -17,22 +55,36 @@ {# generate defaults for each integration #} {% if pkg.es_index_patterns is defined and pkg.es_index_patterns is not none %} {% for pattern in pkg.es_index_patterns %} -{% set integration_key = "so-logs-" ~ pkg.name ~ "_x_" ~ pattern.title %} -{% set integration_defaults = { +{% if "metrics-" in pattern.name %} +{% set integration_type = "metrics-" %} +{% elif "logs-" in pattern.name %} +{% set integration_type = "logs-" %} +{% else %} +{% set integration_type = "" %} +{% endif %} +{% set component_name = pkg.name ~ "." ~ pattern.title %} +{# fix weirdly named components #} +{% if component_name in WEIRD_INTEGRATIONS %} +{% set component_name = WEIRD_INTEGRATIONS[component_name] %} +{% endif %} +{% set integration_key = "so-" ~ integration_type ~ component_name %} + +{# Default integration settings #} +{% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@package", "logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { - "hidden": false, - "allow_custom_routing": false + "allow_custom_routing": false, + "hidden": false }, - "ignore_missing_component_templates": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom"], + "ignore_missing_component_templates": [integration_type ~ component_name ~ "@custom"], "index_patterns": [pattern.name], "priority": 501, "template": { "settings": { "index": { - "lifecycle": {"name": "so-logs-" ~ pkg.name ~ "." ~ pattern.title ~ "-logs"}, + "lifecycle": {"name": "so-" ~ integration_type ~ component_name ~ "-logs"}, "number_of_replicas": 0 } } diff --git a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load similarity index 98% rename from salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load rename to salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index d94b006ad..5fa14c5fc 100644 --- a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -78,7 +78,7 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then if [ $PENDING_UPDATE ]; then # Run bulk install of packages - # elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST # Write out file for generating index/component/ilm templates latest_installed_package_list=$(elastic_fleet_installed_packages) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e7a9a286c..32d9c431e 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3297,190 +3297,6 @@ elasticsearch: index: mode: time_series number_of_replicas: 0 - so-metrics-nginx_x_stubstatus: - index_sorting: false - index_template: - composed_of: - - metrics-nginx.stubstatus@package - - metrics-nginx.stubstatus@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-nginx.stubstatus@custom - index_patterns: - - metrics-nginx.stubstatus-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-nginx.stubstatus-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_datastore: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.datastore@package - - metrics-vsphere.datastore@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.datastore@custom - index_patterns: - - metrics-vsphere.datastore-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.datastore-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_host: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.host@package - - metrics-vsphere.host@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.host@custom - index_patterns: - - metrics-vsphere.host-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.host-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_virtualmachine: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.virtualmachine@package - - metrics-vsphere.virtualmachine@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.virtualmachine@custom - index_patterns: - - metrics-vsphere.virtualmachine-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.virtualmachine-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-redis: index_sorting: false index_template: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 48280c506..fb3f877df 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -151,7 +151,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: {% endfor %} {% endif %} -{% if GLOBALS.role in GLOBALS.manager_roles %} +{% if GLOBALS.role in GLOBALS.manager_roles %} so-es-cluster-settings: cmd.run: - name: /usr/sbin/so-elasticsearch-cluster-settings @@ -160,7 +160,7 @@ so-es-cluster-settings: - require: - docker_container: so-elasticsearch - file: elasticsearch_sbin_jinja -{% endif %} +{% endif %} so-elasticsearch-ilm-policy-load: cmd.run: @@ -172,6 +172,13 @@ so-elasticsearch-ilm-policy-load: - onchanges: - file: so-elasticsearch-ilm-policy-load-script +configure-addon-fleet-integrations: + cmd.run: + - name: /usr/sbin/so-elastic-fleet-optional-integrations-load + - cwd: /opt/so + - require: + - docker_container: so-elasticsearch + so-elasticsearch-templates-reload: file.absent: - name: /opt/so/state/estemplates.txt diff --git a/salt/elasticsearch/integration-templates.map.jinja b/salt/elasticsearch/integration-templates.map.jinja deleted file mode 100644 index 59a9222c5..000000000 --- a/salt/elasticsearch/integration-templates.map.jinja +++ /dev/null @@ -1,110 +0,0 @@ -{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one - or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at - https://securityonion.net/license; you may not use this file except in compliance with the - Elastic License 2.0. #} - -{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% set packages = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} -{% set INTEGRATION_INDEX_SETTINGS = {} %} - - -{% set default_settings = { - 'index_sorting': false, - 'index_template': { - 'data_stream': { - 'allow_custom_routing': false, - 'hidden': false - }, - 'priority': 501, - 'template': { - 'settings': { - 'index': { - 'number_of_replicas': 0 - } - } - } - }, - 'policy': { - 'phases': { - 'cold': { - 'actions': { - 'set_priority': { - 'priority': 0 - } - }, - 'min_age': '60d' - }, - 'delete': { - 'actions': { - 'delete': {} - }, - 'min_age': '365d' - }, - 'hot': { - 'actions': { - 'rollover':{ - 'max_age': '30d', - 'max_primary_shard_size': '50gb' - }, - 'set_priority': { - 'priority': 100 - } - }, - 'min_age': '0ms' - }, - 'warm': { - 'actions': { - 'set_priority': { - 'priority': 50 - } - }, - 'min_age': '30d' - } - } - } -} %} - -{# Create template for each package component from elasticfleet/defaults.yaml #} -{% for package in packages %} - {% for pkg_name, components in package.items() %} - {% if components is not none %} - {% for component in components %} - {% set component_dot = component.replace('_x_', '.') %} - {% set template_name = 'so-logs-' ~ component %} - - {% set template = { - 'index_sorting': default_settings.index_sorting, - 'index_template': { - 'composed_of': [ - 'logs-' ~ component_dot ~ '@package', - 'logs-' ~ component_dot ~ '@custom', - 'so-fleet-_globals-1', - 'so-fleet_agent_id_verification-1' - ], - 'data_stream': default_settings.index_template.data_stream, - 'ignore_missing_component_templates': [ - 'logs-' ~ component_dot ~ '@custom' - ], - 'index_patterns': [ - 'logs-' ~ component_dot ~ '-*' - ], - 'priority': default_settings.index_template.priority, - 'template': { - 'settings': { - 'index': { - 'lifecycle': { - 'name': 'so-logs-' ~ component_dot ~ '-logs' - }, - 'number_of_replicas': default_settings.index_template.template.settings.index.number_of_replicas - } - } - } - }, - 'policy': default_settings.policy - } %} - - {% do INTEGRATION_INDEX_SETTINGS.update({template_name: template}) %} - {% endfor %} - {% endif %} - {% endfor %} -{% endfor %} \ No newline at end of file diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index c53349f18..c1ff2cb24 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -15,7 +15,7 @@ {% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %} {# start generation of integration default index_settings #} -{% if salt['file.file_exists']('/opt/so/state/estemplates.txt') %} +{% if salt['file.file_exists']('/opt/so/state/esfleet_package_components.json') %} {% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} {% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} {% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} From 9fe3f6042fec1b65aeaa8809dc4fc1a352434e26 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 10:44:22 -0600 Subject: [PATCH 05/38] Remove individual integrations ip mappings component template. Replaced with global mappings Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- .../integration-defaults.map.jinja | 2 +- .../logs-1password.item_usages@custom.json | 36 ------------------ ...logs-1password.signin_attempts@custom.json | 36 ------------------ .../logs-apache.access@custom.json | 36 ------------------ .../logs-apache.error@custom.json | 36 ------------------ .../elastic-agent/logs-auditd.log@custom.json | 36 ------------------ .../elastic-agent/logs-auth0.logs@custom.json | 36 ------------------ .../logs-aws.cloudfront_logs@custom.json | 36 ------------------ .../logs-aws.cloudtrail@custom.json | 36 ------------------ .../logs-aws.cloudwatch_logs@custom.json | 36 ------------------ .../logs-aws.ec2_logs@custom.json | 36 ------------------ .../logs-aws.elb_logs@custom.json | 36 ------------------ .../logs-aws.firewall_logs@custom.json | 36 ------------------ .../logs-aws.guardduty@custom.json | 36 ------------------ .../logs-aws.inspector@custom.json | 36 ------------------ .../logs-aws.route53_public_logs@custom.json | 36 ------------------ ...logs-aws.route53_resolver_logs@custom.json | 36 ------------------ .../logs-aws.s3access@custom.json | 36 ------------------ .../logs-aws.securityhub_findings@custom.json | 36 ------------------ .../logs-aws.securityhub_insights@custom.json | 36 ------------------ .../logs-aws.vpcflow@custom.json | 36 ------------------ .../elastic-agent/logs-aws.waf@custom.json | 36 ------------------ .../logs-azure.activitylogs@custom.json | 36 ------------------ ...logs-azure.application_gateway@custom.json | 36 ------------------ .../logs-azure.auditlogs@custom.json | 36 ------------------ .../logs-azure.eventhub@custom.json | 36 ------------------ .../logs-azure.firewall_logs@custom.json | 36 ------------------ ...logs-azure.identity_protection@custom.json | 36 ------------------ .../logs-azure.platformlogs@custom.json | 36 ------------------ .../logs-azure.provisioning@custom.json | 36 ------------------ .../logs-azure.signinlogs@custom.json | 36 ------------------ .../logs-azure.springcloudlogs@custom.json | 36 ------------------ .../logs-barracuda.waf@custom.json | 36 ------------------ ...arracuda_cloudgen_firewall.log@custom.json | 36 ------------------ .../logs-carbonblack_edr.log@custom.json | 36 ------------------ .../elastic-agent/logs-cef.log@custom.json | 36 ------------------ .../logs-checkpoint.firewall@custom.json | 36 ------------------ .../logs-cisco_asa.log@custom.json | 36 ------------------ .../logs-cisco_duo.admin@custom.json | 36 ------------------ .../logs-cisco_duo.auth@custom.json | 36 ------------------ ...s-cisco_duo.offline_enrollment@custom.json | 36 ------------------ .../logs-cisco_duo.summary@custom.json | 36 ------------------ .../logs-cisco_duo.telephony@custom.json | 36 ------------------ .../logs-cisco_ftd.log@custom.json | 36 ------------------ .../logs-cisco_ios.log@custom.json | 36 ------------------ .../logs-cisco_ise.log@custom.json | 36 ------------------ .../logs-cisco_meraki.events@custom.json | 36 ------------------ .../logs-cisco_meraki.log@custom.json | 36 ------------------ ...cisco_secure_email_gateway.log@custom.json | 36 ------------------ .../logs-cisco_umbrella.log@custom.json | 36 ------------------ .../logs-citrix_adc.interface@custom.json | 36 ------------------ .../logs-citrix_adc.lbvserver@custom.json | 36 ------------------ .../logs-citrix_adc.service@custom.json | 36 ------------------ .../logs-citrix_adc.system@custom.json | 36 ------------------ .../logs-citrix_adc.vpn@custom.json | 36 ------------------ .../logs-citrix_waf.log@custom.json | 36 ------------------ .../logs-cloudflare.audit@custom.json | 36 ------------------ .../logs-cloudflare.logpull@custom.json | 36 ------------------ .../logs-crowdstrike.alert@custom.json | 36 ------------------ .../logs-crowdstrike.falcon@custom.json | 36 ------------------ .../logs-crowdstrike.fdr@custom.json | 36 ------------------ .../logs-crowdstrike.host@custom.json | 36 ------------------ ...ogs-darktrace.ai_analyst_alert@custom.json | 36 ------------------ ...s-darktrace.model_breach_alert@custom.json | 36 ------------------ ...-darktrace.system_status_alert@custom.json | 36 ------------------ .../logs-f5_bigip.log@custom.json | 36 ------------------ .../elastic-agent/logs-fim.event@custom.json | 36 ------------------ .../elastic-agent/logs-fireeye.nx@custom.json | 36 ------------------ .../logs-fortinet.clientendpoint@custom.json | 36 ------------------ .../logs-fortinet.firewall@custom.json | 36 ------------------ .../logs-fortinet.fortimail@custom.json | 36 ------------------ .../logs-fortinet.fortimanager@custom.json | 36 ------------------ .../logs-fortinet_fortigate.log@custom.json | 36 ------------------ .../elastic-agent/logs-gcp.audit@custom.json | 36 ------------------ .../elastic-agent/logs-gcp.dns@custom.json | 36 ------------------ .../logs-gcp.firewall@custom.json | 36 ------------------ .../logs-gcp.loadbalancing_logs@custom.json | 36 ------------------ .../logs-gcp.vpcflow@custom.json | 36 ------------------ .../logs-github.audit@custom.json | 36 ------------------ .../logs-github.code_scanning@custom.json | 36 ------------------ .../logs-github.dependabot@custom.json | 36 ------------------ .../logs-github.issues@custom.json | 36 ------------------ .../logs-github.secret_scanning@custom.json | 36 ------------------ ..._workspace.access_transparency@custom.json | 36 ------------------ .../logs-google_workspace.admin@custom.json | 36 ------------------ .../logs-google_workspace.alert@custom.json | 36 ------------------ ...workspace.context_aware_access@custom.json | 36 ------------------ .../logs-google_workspace.device@custom.json | 36 ------------------ .../logs-google_workspace.drive@custom.json | 36 ------------------ .../logs-google_workspace.gcp@custom.json | 36 ------------------ ...gle_workspace.group_enterprise@custom.json | 36 ------------------ .../logs-google_workspace.groups@custom.json | 36 ------------------ .../logs-google_workspace.login@custom.json | 36 ------------------ .../logs-google_workspace.rules@custom.json | 36 ------------------ .../logs-google_workspace.saml@custom.json | 36 ------------------ .../logs-google_workspace.token@custom.json | 36 ------------------ ...google_workspace.user_accounts@custom.json | 36 ------------------ .../elastic-agent/logs-iis.access@custom.json | 36 ------------------ .../elastic-agent/logs-iis.error@custom.json | 36 ------------------ .../logs-imperva_cloud_waf.event@custom.json | 36 ------------------ .../logs-juniper.junos@custom.json | 36 ------------------ .../logs-juniper.netscreen@custom.json | 36 ------------------ .../logs-juniper.srx@custom.json | 36 ------------------ .../logs-juniper_srx.log@custom.json | 36 ------------------ .../logs-kafka_log.generic@custom.json | 36 ------------------ ...astpass.detailed_shared_folder@custom.json | 36 ------------------ .../logs-lastpass.event_report@custom.json | 36 ------------------ .../logs-lastpass.user@custom.json | 36 ------------------ .../logs-m365_defender.event@custom.json | 36 ------------------ .../logs-m365_defender.incident@custom.json | 36 ------------------ .../logs-m365_defender.log@custom.json | 36 ------------------ ...icrosoft_defender_endpoint.log@custom.json | 36 ------------------ .../logs-microsoft_dhcp.log@custom.json | 36 ------------------ ...logs-microsoft_sqlserver.audit@custom.json | 36 ------------------ .../logs-microsoft_sqlserver.log@custom.json | 36 ------------------ .../logs-mimecast.audit_events@custom.json | 36 ------------------ .../logs-mimecast.dlp_logs@custom.json | 36 ------------------ .../logs-mimecast.siem_logs@custom.json | 36 ------------------ ....threat_intel_malware_customer@custom.json | 36 ------------------ ...cast.threat_intel_malware_grid@custom.json | 36 ------------------ .../logs-mimecast.ttp_ap_logs@custom.json | 36 ------------------ .../logs-mimecast.ttp_ip_logs@custom.json | 36 ------------------ .../logs-mimecast.ttp_url_logs@custom.json | 36 ------------------ .../logs-mysql.error@custom.json | 36 ------------------ .../logs-mysql.slowlog@custom.json | 36 ------------------ .../logs-netflow.log@custom.json | 36 ------------------ .../logs-nginx.access@custom.json | 36 ------------------ .../logs-nginx.error@custom.json | 36 ------------------ .../elastic-agent/logs-o365.audit@custom.json | 36 ------------------ .../logs-okta.system@custom.json | 36 ------------------ .../elastic-agent/logs-panw.panos@custom.json | 36 ------------------ .../logs-pfsense.log@custom.json | 36 ------------------ ...-proofpoint_tap.clicks_blocked@custom.json | 36 ------------------ ...roofpoint_tap.clicks_permitted@custom.json | 36 ------------------ ...proofpoint_tap.message_blocked@custom.json | 36 ------------------ ...oofpoint_tap.message_delivered@custom.json | 36 ------------------ .../logs-pulse_connect_secure.log@custom.json | 36 ------------------ .../logs-sentinel_one.activity@custom.json | 36 ------------------ .../logs-sentinel_one.agent@custom.json | 36 ------------------ .../logs-sentinel_one.alert@custom.json | 36 ------------------ .../logs-sentinel_one.group@custom.json | 36 ------------------ .../logs-sentinel_one.threat@custom.json | 36 ------------------ .../elastic-agent/logs-snort.log@custom.json | 36 ------------------ .../elastic-agent/logs-snyk.audit@custom.json | 36 ------------------ .../logs-snyk.vulnerabilities@custom.json | 36 ------------------ .../logs-sonicwall_firewall.log@custom.json | 36 ------------------ .../elastic-agent/logs-sophos.utm@custom.json | 36 ------------------ .../elastic-agent/logs-sophos.xg@custom.json | 36 ------------------ .../logs-sophos_central.alert@custom.json | 36 ------------------ .../logs-sophos_central.event@custom.json | 36 ------------------ .../logs-symantec_endpoint.log@custom.json | 36 ------------------ .../logs-tenable_io.asset@custom.json | 36 ------------------ .../logs-tenable_io.plugin@custom.json | 36 ------------------ .../logs-tenable_io.scan@custom.json | 36 ------------------ .../logs-tenable_io.vulnerability@custom.json | 36 ------------------ .../logs-tenable_sc.asset@custom.json | 36 ------------------ .../logs-tenable_sc.plugin@custom.json | 36 ------------------ .../logs-tenable_sc.vulnerability@custom.json | 36 ------------------ .../logs-ti_abusech.malware@custom.json | 36 ------------------ .../logs-ti_abusech.malwarebazaar@custom.json | 36 ------------------ .../logs-ti_abusech.threatfox@custom.json | 36 ------------------ .../logs-ti_abusech.url@custom.json | 36 ------------------ .../logs-ti_anomali.threatstream@custom.json | 36 ------------------ .../logs-ti_cybersixgill.threat@custom.json | 36 ------------------ .../logs-ti_misp.threat@custom.json | 36 ------------------ ...logs-ti_misp.threat_attributes@custom.json | 36 ------------------ .../logs-ti_opencti.indicator@custom.json | 36 ------------------ .../logs-ti_otx.pulses_subscribed@custom.json | 36 ------------------ .../logs-ti_otx.threat@custom.json | 36 ------------------ ...ti_rapid7_threat_command.alert@custom.json | 36 ------------------ ...s-ti_rapid7_threat_command.ioc@custom.json | 36 ------------------ ...7_threat_command.vulnerability@custom.json | 36 ------------------ ...rdedfuture.latest_ioc-template@custom.json | 36 ------------------ .../logs-ti_recordedfuture.threat@custom.json | 36 ------------------ .../logs-ti_threatq.threat@custom.json | 36 ------------------ ...s-trend_micro_vision_one.alert@custom.json | 36 ------------------ ...s-trend_micro_vision_one.audit@custom.json | 36 ------------------ ...end_micro_vision_one.detection@custom.json | 36 ------------------ .../logs-trendmicro.deep_security@custom.json | 36 ------------------ .../logs-vsphere.log@custom.json | 36 ------------------ .../logs-zscaler_zia.alerts@custom.json | 36 ------------------ .../logs-zscaler_zia.dns@custom.json | 36 ------------------ .../logs-zscaler_zia.firewall@custom.json | 36 ------------------ .../logs-zscaler_zia.tunnel@custom.json | 36 ------------------ .../logs-zscaler_zia.web@custom.json | 36 ------------------ ...caler_zpa.app_connector_status@custom.json | 36 ------------------ .../logs-zscaler_zpa.audit@custom.json | 36 ------------------ ...ogs-zscaler_zpa.browser_access@custom.json | 36 ------------------ ...logs-zscaler_zpa.user_activity@custom.json | 36 ------------------ .../logs-zscaler_zpa.user_status@custom.json | 36 ------------------ .../so-fleet_integrations.ip_mappings.json | 37 +++++++++++++++++++ 191 files changed, 38 insertions(+), 6805 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 0de400b26..cd88748b5 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -73,7 +73,7 @@ {% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { "allow_custom_routing": false, "hidden": false diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json new file mode 100644 index 000000000..3777e670c --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json @@ -0,0 +1,37 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } + } + \ No newline at end of file From 0d49dee46e33ae35648e5f5d4476e8fd539cd2ec Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:22:51 -0600 Subject: [PATCH 06/38] update version to foxtrot Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 580cd0c49..452820224 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.120 \ No newline at end of file +2.4.0-foxtrot \ No newline at end of file From 3d3f0460fad532c1a5e207fabe3f327dd4ea167b Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 14:42:16 -0600 Subject: [PATCH 07/38] move addon integration script run to elasticfleet state Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticfleet/enabled.sls | 4 ++++ salt/elasticsearch/enabled.sls | 7 ------- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index f91074b39..5a52f3a41 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -151,6 +151,10 @@ so-elastic-fleet-integration-upgrade: cmd.run: - name: /usr/sbin/so-elastic-fleet-integration-upgrade +so-elastic-fleet-addon-integrations: + cmd.run: + - name: /usr/sbin/so-elastic-fleet-optional-integrations-load + {% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %} so-elastic-defend-manage-filters-file-watch: cmd.run: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index fb3f877df..4ed4b1b98 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -172,13 +172,6 @@ so-elasticsearch-ilm-policy-load: - onchanges: - file: so-elasticsearch-ilm-policy-load-script -configure-addon-fleet-integrations: - cmd.run: - - name: /usr/sbin/so-elastic-fleet-optional-integrations-load - - cwd: /opt/so - - require: - - docker_container: so-elasticsearch - so-elasticsearch-templates-reload: file.absent: - name: /opt/so/state/estemplates.txt From a21535b0a2cf09eb1c587f3dde2c26cdddcda646 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 21:33:07 -0600 Subject: [PATCH 08/38] run elasticsearch state to sync templates Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/manager/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fc0c7aca4..d48463737 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -527,6 +527,10 @@ post_to_2.4.111() { post_to_2.4.120() { update_elasticsearch_index_settings + + # Sync the newly generated index templates for elasticfleet integrations + salt-call state.apply elasticsearch queue=True + POSTVERSION=2.4.120 } @@ -736,6 +740,8 @@ up_to_2.4.120() { # New Grid Integration added this release rm -f /opt/so/state/eaintegrations.txt + + INSTALLEDVERSION=2.4.120 } From dab56f0882b4c3b01266a6268a147197d7eeff67 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:24:59 -0600 Subject: [PATCH 09/38] update fleet-optional-integrations-load Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- ...o-elastic-fleet-optional-integrations-load | 54 +++++++++++-------- 1 file changed, 33 insertions(+), 21 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index 5fa14c5fc..6d87b958c 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -13,11 +13,16 @@ STATE_FILE_SUCCESS=/opt/so/state/estemplates.txt INSTALLED_PACKAGE_LIST=/tmp/esfleet_installed_packages.json BULK_INSTALL_PACKAGE_LIST=/tmp/esfleet_bulk_install.json BULK_INSTALL_PACKAGE_TMP=/tmp/esfleet_bulk_install_tmp.json +BULK_INSTALL_OUTPUT=/opt/so/state/esfleet_bulk_install_results.json PACKAGE_COMPONENTS=/opt/so/state/esfleet_package_components.json SKIP_SUBSCRIPTION=true PENDING_UPDATE=false +# Integrations which are included in the package registry, but excluded from automatic installation via this script. +# Requiring some level of manual Elastic Stack configuration before installation +EXCLUDED_INTEGRATIONS=('apm') + version_conversion(){ version=$1 echo "$version" | awk -F '.' '{ printf("%d%03d%03d\n", $1, $2, $3); }' @@ -43,13 +48,13 @@ compare_versions() { if [[ -f $STATE_FILE_SUCCESS ]]; then if retry 3 1 "curl -s -K /opt/so/conf/elasticsearch/curl.config --output /dev/null --silent --head --fail localhost:5601/api/fleet/epm/packages"; then - # Package_list contains all NON-beta integrations. + # Package_list contains all integrations beta / non-beta. latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list) echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST rm -f $INSTALLED_PACKAGE_LIST echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST - cat "$INSTALLED_PACKAGE_LIST" | jq -c '.packages[]' | while read -r package; do + while read -r package; do # get package details package_name=$(echo "$package" | jq -r '.name') latest_version=$(echo "$package" | jq -r '.latest_version') @@ -57,28 +62,35 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then subscription=$(echo "$package" | jq -r '.subscription') bulk_package=$(echo "$package" | jq '{name: .name, version: .latest_version}' ) - if [ $SKIP_SUBSCRIPTION ] && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then - # pass over integrations that require non-basic elastic license - continue - else - if [ -n "$installed_version" ]; then - results=$(compare_versions "$latest_version" "$installed_version") - if [ $results == "greater" ]; then - echo "$package_name is not up to date... Adding to next update." - jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - PENDING_UPDATE=true - fi + if [[ ! "${EXCLUDED_INTEGRATIONS[@]}" =~ "$package_name" ]]; then + if $SKIP_SUBSCRIPTION && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then + # pass over integrations that require non-basic elastic license + echo "$package_name integration requires an Elastic license of $subscription or greater... skipping" + continue else - echo "$package_name is not installed... Adding to next update." - jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - PENDING_UPDATE=true - fi - fi - done + if [[ "$installed_version" == "null" || -z "$installed_version" ]]; then + echo "$package_name is not installed... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - if [ $PENDING_UPDATE ]; then + PENDING_UPDATE=true + else + results=$(compare_versions "$latest_version" "$installed_version") + if [ $results == "greater" ]; then + echo "$package_name is at version $installed_version latest version is $latest_version... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + + PENDING_UPDATE=true + fi + fi + fi + else + echo "Skipping $package_name..." + fi + done <<< "$(jq -c '.packages[]' "$INSTALLED_PACKAGE_LIST")" + + if [ "$PENDING_UPDATE" = true ]; then # Run bulk install of packages - elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_OUTPUT # Write out file for generating index/component/ilm templates latest_installed_package_list=$(elastic_fleet_installed_packages) From 6331298eac1b17b7374bd5784de8202d3cb6ebd7 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 21 Jan 2025 10:49:54 -0600 Subject: [PATCH 10/38] remove individual @custom mappings. Moved over to so-fleet_integrations.ip_mappings-1 --- .../integration-defaults.map.jinja | 2 +- salt/elasticfleet/integration-defaults.yaml | 46 ------------------- salt/elasticsearch/defaults.yaml | 33 ++++++++++++- ...udflare_logpush.access_request@custom.json | 36 --------------- .../logs-cloudflare_logpush.audit@custom.json | 36 --------------- .../logs-cloudflare_logpush.casb@custom.json | 36 --------------- ...udflare_logpush.device_posture@custom.json | 36 --------------- .../logs-cloudflare_logpush.dns@custom.json | 36 --------------- ...loudflare_logpush.dns_firewall@custom.json | 36 --------------- ...udflare_logpush.firewall_event@custom.json | 36 --------------- ...cloudflare_logpush.gateway_dns@custom.json | 36 --------------- ...loudflare_logpush.gateway_http@custom.json | 36 --------------- ...dflare_logpush.gateway_network@custom.json | 36 --------------- ...loudflare_logpush.http_request@custom.json | 36 --------------- ...s-cloudflare_logpush.magic_ids@custom.json | 36 --------------- ...-cloudflare_logpush.nel_report@custom.json | 36 --------------- ...lare_logpush.network_analytics@custom.json | 36 --------------- ...dflare_logpush.network_session@custom.json | 36 --------------- ...oudflare_logpush.sinkhole_http@custom.json | 36 --------------- ...udflare_logpush.spectrum_event@custom.json | 36 --------------- ...oudflare_logpush.workers_trace@custom.json | 36 --------------- .../logs-elastic_agent.apm_server@custom.json | 36 --------------- .../logs-elastic_agent.auditbeat@custom.json | 36 --------------- .../logs-elastic_agent.cloudbeat@custom.json | 36 --------------- ...lastic_agent.endpoint_security@custom.json | 36 --------------- .../logs-elastic_agent.filebeat@custom.json | 36 --------------- ...ogs-elastic_agent.fleet_server@custom.json | 36 --------------- .../logs-elastic_agent.heartbeat@custom.json | 36 --------------- .../logs-elastic_agent.metricbeat@custom.json | 36 --------------- ...logs-elastic_agent.osquerybeat@custom.json | 36 --------------- .../logs-elastic_agent.packetbeat@custom.json | 36 --------------- .../logs-elastic_agent@custom.json | 43 ----------------- .../logs-endpoint.alerts@custom.json | 36 --------------- ...endpoint.diagnostic.collection@custom.json | 43 ----------------- .../logs-endpoint.events.api@custom.json | 36 --------------- .../logs-endpoint.events.file@custom.json | 36 --------------- .../logs-endpoint.events.library@custom.json | 36 --------------- .../logs-endpoint.events.network@custom.json | 36 --------------- .../logs-endpoint.events.process@custom.json | 36 --------------- .../logs-endpoint.events.registry@custom.json | 36 --------------- .../logs-endpoint.events.security@custom.json | 36 --------------- .../logs-http_endpoint.generic@custom.json | 36 --------------- .../logs-httpjson.generic@custom.json | 36 --------------- .../logs-system.application@custom.json | 36 --------------- .../logs-system.auth@custom.json | 36 --------------- .../logs-system.security@custom.json | 36 --------------- .../logs-system.system@custom.json | 36 --------------- .../logs-windows.forwarded@custom.json | 36 --------------- .../logs-windows.powershell@custom.json | 36 --------------- ...windows.powershell_operational@custom.json | 36 --------------- ...ogs-windows.sysmon_operational@custom.json | 36 --------------- .../logs-winlog.winlog@custom.json | 36 --------------- ... so-fleet_integrations.ip_mappings-1.json} | 0 53 files changed, 32 insertions(+), 1827 deletions(-) delete mode 100644 salt/elasticfleet/integration-defaults.yaml delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json rename salt/elasticsearch/templates/component/elastic-agent/{so-fleet_integrations.ip_mappings.json => so-fleet_integrations.ip_mappings-1.json} (100%) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index cd88748b5..09710a43c 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -73,7 +73,7 @@ {% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings-1", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { "allow_custom_routing": false, "hidden": false diff --git a/salt/elasticfleet/integration-defaults.yaml b/salt/elasticfleet/integration-defaults.yaml deleted file mode 100644 index 98bbd13b7..000000000 --- a/salt/elasticfleet/integration-defaults.yaml +++ /dev/null @@ -1,46 +0,0 @@ -so-logs-INTPLACEHOLDER_x_COMPLACEHOLDER: - index_sorting: False - index_template: - composed_of: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@package" - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_COMPLACEHOLDER_templates: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" - index_patterns: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER-*" - priority: 501 - template: - settings: - index: - lifecycle: - name: "so-logs-INTPLACEHOLDER.COMPLACEHOLDER-logs" - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: "60d" - delete: - actions: - delete: {} - min_age: "365d" - hot: - actions: - rollover: - max_age: "30d" - max_primary_shard_size: "50gb" - set_priority: - priority: 100 - min_age: "0ms" - warm: - actions: - set_priority: - priority: 50 - min_age: "30d" \ No newline at end of file diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 32d9c431e..d39935485 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1119,6 +1119,7 @@ elasticsearch: - event-mappings - logs-elastic_agent@package - logs-elastic_agent@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1182,6 +1183,7 @@ elasticsearch: composed_of: - logs-elastic_agent.apm_server@package - logs-elastic_agent.apm_server@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1245,6 +1247,7 @@ elasticsearch: composed_of: - logs-elastic_agent.auditbeat@package - logs-elastic_agent.auditbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1308,6 +1311,7 @@ elasticsearch: composed_of: - logs-elastic_agent.cloudbeat@package - logs-elastic_agent.cloudbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: @@ -1369,6 +1373,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.endpoint_security@package - logs-elastic_agent.endpoint_security@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1427,6 +1432,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.filebeat@package - logs-elastic_agent.filebeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1485,6 +1491,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.fleet_server@package - logs-elastic_agent.fleet_server@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1539,6 +1546,7 @@ elasticsearch: composed_of: - logs-elastic_agent.heartbeat@package - logs-elastic_agent.heartbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: @@ -1600,6 +1608,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.metricbeat@package - logs-elastic_agent.metricbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1658,6 +1667,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.osquerybeat@package - logs-elastic_agent.osquerybeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1715,6 +1725,7 @@ elasticsearch: composed_of: - logs-elastic_agent.packetbeat@package - logs-elastic_agent.packetbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1779,6 +1790,7 @@ elasticsearch: - event-mappings - logs-endpoint.alerts@custom - logs-endpoint.alerts@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1837,6 +1849,7 @@ elasticsearch: - event-mappings - logs-endpoint.diagnostic.collection@custom - logs-endpoint.diagnostic.collection@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1895,6 +1908,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.api@custom - logs-endpoint.events.api@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1953,6 +1967,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.file@custom - logs-endpoint.events.file@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2011,6 +2026,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.library@custom - logs-endpoint.events.library@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2069,6 +2085,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.network@custom - logs-endpoint.events.network@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2127,6 +2144,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.process@custom - logs-endpoint.events.process@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2185,6 +2203,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.registry@custom - logs-endpoint.events.registry@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2243,6 +2262,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.security@custom - logs-endpoint.events.security@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2300,13 +2320,13 @@ elasticsearch: composed_of: - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom index_patterns: - logs-http_endpoint.generic-* @@ -2347,6 +2367,7 @@ elasticsearch: composed_of: - logs-httpjson.generic@package - logs-httpjson.generic@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2538,6 +2559,7 @@ elasticsearch: - event-mappings - logs-system.application@package - logs-system.application@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2586,6 +2608,7 @@ elasticsearch: - event-mappings - logs-system.auth@package - logs-system.auth@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2634,6 +2657,7 @@ elasticsearch: - event-mappings - logs-system.security@package - logs-system.security@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2730,6 +2754,7 @@ elasticsearch: - event-mappings - logs-system.system@package - logs-system.system@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2777,6 +2802,7 @@ elasticsearch: composed_of: - logs-windows.forwarded@package - logs-windows.forwarded@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2823,6 +2849,7 @@ elasticsearch: composed_of: - logs-windows.powershell@package - logs-windows.powershell@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2869,6 +2896,7 @@ elasticsearch: composed_of: - logs-windows.powershell_operational@package - logs-windows.powershell_operational@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2915,6 +2943,7 @@ elasticsearch: composed_of: - logs-windows.sysmon_operational@package - logs-windows.sysmon_operational@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2961,13 +2990,13 @@ elasticsearch: composed_of: - logs-winlog.winlog@package - logs-winlog.winlog@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-winlog.winlog@package - logs-winlog.winlog@custom index_patterns: - logs-winlog.winlog-* diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json deleted file mode 100644 index d8d14a5a9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json deleted file mode 100644 index 5bbe3c1fa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json similarity index 100% rename from salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json rename to salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json From d779f7ae7f60c72108a27f0a66ebf447237ce538 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 10:13:01 -0600 Subject: [PATCH 11/38] add back missing component for http_endpoint_x_generic & winlog_x_winglog --- salt/elasticsearch/defaults.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index d39935485..77a5be232 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2327,6 +2327,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: + - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom index_patterns: - logs-http_endpoint.generic-* @@ -2997,6 +2998,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: + - logs-winlog.winlog@package - logs-winlog.winlog@custom index_patterns: - logs-winlog.winlog-* From 81ac1ebc08382d4a55b21a7066cc17be48c9308e Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 13:12:09 -0600 Subject: [PATCH 12/38] fixes merging local pillar /global overrides for generated index templates --- salt/elasticfleet/integration-defaults.map.jinja | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 09710a43c..30eda7081 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -67,7 +67,10 @@ {% if component_name in WEIRD_INTEGRATIONS %} {% set component_name = WEIRD_INTEGRATIONS[component_name] %} {% endif %} -{% set integration_key = "so-" ~ integration_type ~ component_name %} +{# component_name_x maintains the functionality of merging local pillar changes with generated 'defaults' via SOC UI #} +{% set component_name_x = component_name.replace(".","_x_") %} +{# pillar overrides/merge expects the key names to follow the naming in elasticsearch/defaults.yaml eg. so-logs-1password_x_item_usages . The _x_ is replaced later on in elasticsearch/template.map.jinja #} +{% set integration_key = "so-" ~ integration_type ~ component_name_x %} {# Default integration settings #} {% set integration_defaults = { From e0039a08ef435df402c0364f172dd9d4f02d5338 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 13:57:26 -0600 Subject: [PATCH 13/38] fix forcedType typo --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0d5d0ea28..48b8b2e27 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -166,7 +166,7 @@ elasticsearch: index_template: index_patterns: description: Patterns for matching multiple indices or tables. - forceType: "[]string" + forcedType: "[]string" multiline: True global: True advanced: True From 9738ef382c4c4cc3d4a24a584981e1103fcf72ef Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 23 Jan 2025 08:12:02 -0500 Subject: [PATCH 14/38] Upgrade Elastic to 8.17.1 --- .../integrations/elastic-defend/elastic-defend-endpoints.json | 2 +- salt/elasticsearch/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json index 15f08a151..0348a0198 100644 --- a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json @@ -5,7 +5,7 @@ "package": { "name": "endpoint", "title": "Elastic Defend", - "version": "8.14.0" + "version": "8.17.0" }, "enabled": true, "policy_id": "endpoints-initial", diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 77a5be232..04198a160 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.14.3 + version: 8.17.1 index_clean: true config: action: From 5b8f8fb62f0dfbf7ce5692351a36f2a3250e0ba8 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:47:22 -0600 Subject: [PATCH 15/38] add/remove es annotations/defaults automagically Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/soc_elasticsearch.yaml | 6 +++ salt/manager/managed_soc_annotations.sls | 59 +++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 salt/manager/managed_soc_annotations.sls diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 48b8b2e27..adce41bff 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -77,6 +77,12 @@ elasticsearch: custom008: *pipelines custom009: *pipelines custom010: *pipelines + managed_integrations: + description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html index_settings: global_overrides: index_template: diff --git a/salt/manager/managed_soc_annotations.sls b/salt/manager/managed_soc_annotations.sls new file mode 100644 index 000000000..17621f973 --- /dev/null +++ b/salt/manager/managed_soc_annotations.sls @@ -0,0 +1,59 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #} +{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %} +{% if managed_integrations %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %} +{% set matched_integration_names = [] %} +{% for k in addon_integration_keys %} +{% for i in managed_integrations %} +{% if i in k %} +{% do matched_integration_names.append(k) %} +{% endif %} +{% endfor %} +{% endfor %} +{% set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %} +{{ es_soc_annotations }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_soc_annotations) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% set input = index_settings.get('so-logs', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set _ = index_settings.update({k: input}) %} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} + +{# Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #} +{% set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %} +{{ es_defaults }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_defaults) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set input = ADDON_INTEGRATION_DEFAULTS[k] %} + {% set _ = index_settings.update({k: input})%} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} +{% endif %} \ No newline at end of file From 97a3f130c8957e19cd6e833d6aa1532dbb8d18e3 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 23 Jan 2025 15:32:39 -0500 Subject: [PATCH 16/38] Update Elastic --- .../files/integrations/grid-nodes_general/import-evtx-logs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index fb8c31040..bef0bf931 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,7 +20,7 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.59.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-1.45.1\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.59.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.59.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-1.45.1\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.64.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.3.6\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.64.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.64.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.3.6\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" ] From a373d96c3c7b46ef56475dd0f6f674ec16ebfc6d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 13:45:03 -0600 Subject: [PATCH 17/38] run managed_soc_annotations.sls from manager state --- salt/manager/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index c4b2ad136..8de5d097a 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -14,6 +14,7 @@ include: - manager.sync_es_users - manager.elasticsearch - manager.kibana + - manager.managed_soc_annotations repo_log_dir: file.directory: From 38b0276458261c9c1049d8e49b40c4f2d919d02c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 13:45:18 -0600 Subject: [PATCH 18/38] remove reference to deleted file --- salt/elasticfleet/integration-defaults.map.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 30eda7081..6d31cc71f 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -5,7 +5,6 @@ {% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} {% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} From e994f3a220203a5fc4f3d04a65344c0faba859c4 Mon Sep 17 00:00:00 2001 From: Joshua Brower Date: Mon, 27 Jan 2025 14:48:50 -0500 Subject: [PATCH 19/38] Fix commits --- salt/elasticsearch/soc_elasticsearch.yaml | 8 ++- salt/manager/managed_soc_annotations.sls | 59 +++++++++++++++++++++++ salt/manager/tools/sbin/soup | 18 ++++++- 3 files changed, 82 insertions(+), 3 deletions(-) create mode 100644 salt/manager/managed_soc_annotations.sls diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0d5d0ea28..adce41bff 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -77,6 +77,12 @@ elasticsearch: custom008: *pipelines custom009: *pipelines custom010: *pipelines + managed_integrations: + description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html index_settings: global_overrides: index_template: @@ -166,7 +172,7 @@ elasticsearch: index_template: index_patterns: description: Patterns for matching multiple indices or tables. - forceType: "[]string" + forcedType: "[]string" multiline: True global: True advanced: True diff --git a/salt/manager/managed_soc_annotations.sls b/salt/manager/managed_soc_annotations.sls new file mode 100644 index 000000000..17621f973 --- /dev/null +++ b/salt/manager/managed_soc_annotations.sls @@ -0,0 +1,59 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #} +{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %} +{% if managed_integrations %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %} +{% set matched_integration_names = [] %} +{% for k in addon_integration_keys %} +{% for i in managed_integrations %} +{% if i in k %} +{% do matched_integration_names.append(k) %} +{% endif %} +{% endfor %} +{% endfor %} +{% set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %} +{{ es_soc_annotations }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_soc_annotations) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% set input = index_settings.get('so-logs', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set _ = index_settings.update({k: input}) %} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} + +{# Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #} +{% set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %} +{{ es_defaults }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_defaults) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set input = ADDON_INTEGRATION_DEFAULTS[k] %} + {% set _ = index_settings.update({k: input})%} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} +{% endif %} \ No newline at end of file diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c0a6a4359..b6cf38799 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -406,6 +406,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110 [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111 [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120 + [[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130 true } @@ -429,6 +430,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111 [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120 + [[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130 true } @@ -538,6 +540,11 @@ post_to_2.4.120() { POSTVERSION=2.4.120 } +post_to_2.4.130() { + echo "Nothing to apply" + POSTVERSION=2.4.130 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -717,8 +724,8 @@ up_to_2.4.90() { } up_to_2.4.100() { - # Elastic Update for this release, so download Elastic Agent files - determine_elastic_agent_upgrade + echo "Nothing to do for 2.4.100" + INSTALLEDVERSION=2.4.100 } @@ -749,6 +756,13 @@ up_to_2.4.120() { INSTALLEDVERSION=2.4.120 } +up_to_2.4.130() { + # Elastic Update for this release, so download Elastic Agent files + determine_elastic_agent_upgrade + + INSTALLEDVERSION=2.4.130 +} + add_hydra_pillars() { mkdir -p /opt/so/saltstack/local/pillar/hydra touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls From 49ab0751c0665436624b46a029f27510d4c21719 Mon Sep 17 00:00:00 2001 From: Joshua Brower Date: Mon, 27 Jan 2025 15:01:21 -0500 Subject: [PATCH 20/38] Remove uneeded import --- salt/elasticfleet/integration-defaults.map.jinja | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 30eda7081..a60eaae60 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -5,7 +5,6 @@ {% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} {% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} @@ -130,4 +129,4 @@ {% endfor %} {% endif %} {% endif %} -{% endfor %} \ No newline at end of file +{% endfor %} From d74b69d84d5933a57479152f5143963a39224f86 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 16:34:33 -0600 Subject: [PATCH 21/38] add additional weird_integration --- salt/elasticfleet/integration-defaults.map.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 6d31cc71f..008efb615 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -12,6 +12,7 @@ {# Some fleet integrations don't follow the standard naming convention #} {% set WEIRD_INTEGRATIONS = { 'awsfirehose.logs': 'awsfirehose', + 'awsfirehose.metrics': 'aws.cloudwatch', 'cribl.logs': 'cribl', 'sentinel_one_cloud_funnel.logins': 'sentinel_one_cloud_funnel.login', 'azure_application_insights.app_insights': 'azure.app_insights', From 3b69ff9fc9ff552470b92b7c82287ac3fed9bbb0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 29 Jan 2025 14:02:45 -0600 Subject: [PATCH 22/38] integration policy update --- salt/manager/tools/sbin/soup | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index b6cf38799..89255f839 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -534,14 +534,16 @@ post_to_2.4.120() { # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata' rollover_index "logs-suricata.alerts-so" - # Sync the newly generated index templates for elasticfleet integrations - salt-call state.apply elasticsearch queue=True - POSTVERSION=2.4.120 } post_to_2.4.130() { - echo "Nothing to apply" + # Integrations policies need to be updated + rm -f /opt/so/state/eaintegrations.txt + + # Sync the newly generated index templates for elasticfleet integrations + salt-call state.apply elasticsearch queue=True + POSTVERSION=2.4.130 } @@ -725,7 +727,7 @@ up_to_2.4.90() { up_to_2.4.100() { echo "Nothing to do for 2.4.100" - + INSTALLEDVERSION=2.4.100 } From 33f145a40b28f4430a11d4f5826c64f343a348b0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 4 Feb 2025 08:58:36 -0600 Subject: [PATCH 23/38] ensure network packet capture integration data has event.module:network_traffic --- salt/elasticsearch/files/ingest/global@custom | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 085afd23c..4c522374e 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -8,7 +8,9 @@ "processors": [ { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, + { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, + { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, @@ -22,6 +24,6 @@ { "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } }, { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, { "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } }, - { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } ] } From fb0cd436d352fb4d4a19913b695058ea0f4c7855 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 11 Feb 2025 11:23:04 -0600 Subject: [PATCH 24/38] ES 8.17.2 TODO: Check import-evtx-logs.json for updated pipeline versions Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 04198a160..c91a2df6f 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.1 + version: 8.17.2 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 90b75b8c4..2de3853df 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.10.4" + discardCorruptObjects: "8.17.2" telemetry: enabled: False security: From 40cb3a53aea8110068ae38bd98103cef33d5ade3 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 12 Feb 2025 13:18:08 -0600 Subject: [PATCH 25/38] Revert ES 8.17.2 upgrade -> 8.17.1 Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c91a2df6f..04198a160 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.2 + version: 8.17.1 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 2de3853df..6cc4d123a 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.17.2" + discardCorruptObjects: "8.17.1" telemetry: enabled: False security: From 09c7b31918f3d04af26c627bb74dfda0692ae9da Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 12 Feb 2025 16:33:56 -0600 Subject: [PATCH 26/38] update pfsense pipeline version. Remove unused component templates --- .../files/ingest/logs-pfsense.log-1.16.0 | 389 ------------------ ...nse.log-1.19.1 => logs-pfsense.log-1.20.2} | 53 ++- ...icata => logs-pfsense.log-1.20.2-suricata} | 0 .../logs-elastic_agent@package.json | 383 ----------------- ...ndpoint.diagnostic.collection@package.json | 132 ------ ...ics-fleet_server.agent_status@package.json | 201 --------- ...s-fleet_server.agent_versions@package.json | 102 ----- 7 files changed, 26 insertions(+), 1234 deletions(-) delete mode 100644 salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.19.1 => logs-pfsense.log-1.20.2} (90%) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.16.0-suricata => logs-pfsense.log-1.20.2-suricata} (100%) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 deleted file mode 100644 index f53abb0e3..000000000 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 +++ /dev/null @@ -1,389 +0,0 @@ -{ - "description": "Pipeline for PFsense", - "processors": [ - { - "set": { - "field": "ecs.version", - "value": "8.10.0" - } - }, - { - "set": { - "field": "observer.vendor", - "value": "netgate" - } - }, - { - "set": { - "field": "observer.type", - "value": "firewall" - } - }, - { - "rename": { - "field": "message", - "target_field": "event.original" - } - }, - { - "set": { - "field": "event.kind", - "value": "event" - } - }, - { - "set": { - "field": "event.timezone", - "value": "{{_tmp.tz_offset}}", - "if": "ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local'" - } - }, - { - "grok": { - "description": "Parse syslog header", - "field": "event.original", - "patterns": [ - "^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}" - ], - "pattern_definitions": { - "ECS_SYSLOG_PRI": "<%{NONNEGINT:log.syslog.priority:long}>(\\d )?", - "TIMESTAMP": "(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})", - "BSD_TIMESTAMP_FORMAT": "%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{BSD_PROCNAME}|%{SPACE}%{OBSERVER}%{SPACE}%{BSD_PROCNAME})(\\[%{POSINT:process.pid:long}\\])?:", - "BSD_PROCNAME": "(?:\\b%{NAME:process.name}|\\(%{NAME:process.name}\\))", - "NAME": "[[[:alnum:]]_-]+", - "SYSLOG_TIMESTAMP_FORMAT": "%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - (-|%{META})", - "TIMESTAMP_ISO8601": "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?", - "OBSERVER": "(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})", - "PROCESS": "(\\(%{DATA:process.name}\\)|(?:%{UNIXPATH}*/)?%{BASEPATH:process.name})", - "BASEPATH": "[[[:alnum:]]_%!$@:.,+~-]+", - "META": "\\[[^\\]]*\\]" - } - } - }, - { - "date": { - "if": "ctx._tmp.timestamp8601 != null", - "field": "_tmp.timestamp8601", - "target_field": "@timestamp", - "formats": [ - "ISO8601" - ] - } - }, - { - "date": { - "if": "ctx.event?.timezone != null && ctx._tmp?.timestamp != null", - "field": "_tmp.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss" - ], - "timezone": "{{ event.timezone }}" - } - }, - { - "grok": { - "description": "Set Event Provider", - "field": "process.name", - "patterns": [ - "^%{HYPHENATED_WORDS:event.provider}" - ], - "pattern_definitions": { - "HYPHENATED_WORDS": "\\b[A-Za-z0-9_]+(-[A-Za-z_]+)*\\b" - } - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-firewall", - "if": "ctx.event.provider == 'filterlog'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-openvpn", - "if": "ctx.event.provider == 'openvpn'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-ipsec", - "if": "ctx.event.provider == 'charon'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-dhcp", - "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-unbound", - "if": "ctx.event.provider == 'unbound'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-haproxy", - "if": "ctx.event.provider == 'haproxy'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-php-fpm", - "if": "ctx.event.provider == 'php-fpm'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-squid", - "if": "ctx.event.provider == 'squid'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-suricata", - "if": "ctx.event.provider == 'suricata'" - } - }, - { - "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"suricata\"].contains(ctx.event?.provider)" - } - }, - { - "append": { - "field": "event.category", - "value": "network", - "if": "ctx.network != null" - } - }, - { - "convert": { - "field": "source.address", - "target_field": "source.ip", - "type": "ip", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "convert": { - "field": "destination.address", - "target_field": "destination.ip", - "type": "ip", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "set": { - "field": "network.type", - "value": "ipv6", - "if": "ctx.source?.ip != null && ctx.source.ip.contains(\":\")" - } - }, - { - "set": { - "field": "network.type", - "value": "ipv4", - "if": "ctx.source?.ip != null && ctx.source.ip.contains(\".\")" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "destination.ip", - "target_field": "destination.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "ignore_missing": true, - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ] - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "destination.ip", - "target_field": "destination.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.asn", - "target_field": "destination.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.organization_name", - "target_field": "destination.as.organization.name", - "ignore_missing": true - } - }, - { - "community_id": { - "target_field": "network.community_id", - "ignore_failure": true - } - }, - { - "grok": { - "field": "observer.ingress.interface.name", - "patterns": [ - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" - ], - "ignore_missing": true, - "ignore_failure": true - } - }, - { - "set": { - "field": "network.vlan.id", - "copy_from": "observer.ingress.vlan.id", - "ignore_empty_value": true - } - }, - { - "append": { - "field": "related.ip", - "value": "{{destination.ip}}", - "allow_duplicates": false, - "if": "ctx.destination?.ip != null" - } - }, - { - "append": { - "field": "related.ip", - "value": "{{source.ip}}", - "allow_duplicates": false, - "if": "ctx.source?.ip != null" - } - }, - { - "append": { - "field": "related.ip", - "value": "{{source.nat.ip}}", - "allow_duplicates": false, - "if": "ctx.source?.nat?.ip != null" - } - }, - { - "append": { - "field": "related.hosts", - "value": "{{destination.domain}}", - "if": "ctx.destination?.domain != null" - } - }, - { - "append": { - "field": "related.user", - "value": "{{user.name}}", - "if": "ctx.user?.name != null" - } - }, - { - "set": { - "field": "network.direction", - "value": "{{network.direction}}bound", - "if": "ctx.network?.direction != null && ctx.network?.direction =~ /^(in|out)$/" - } - }, - { - "remove": { - "field": [ - "_tmp" - ], - "ignore_failure": true - } - }, - { - "script": { - "lang": "painless", - "description": "This script processor iterates over the whole document to remove fields with null values.", - "source": "void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n map.values().removeIf(v -> v == null || (v instanceof String && v == \"-\"));\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n" - } - }, - { - "remove": { - "field": "event.original", - "if": "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "pipeline": { - "name": "logs-pfsense.log@custom", - "ignore_missing_pipeline": true - } - } - ], - "on_failure": [ - { - "remove": { - "field": [ - "_tmp" - ], - "ignore_failure": true - } - }, - { - "set": { - "field": "event.kind", - "value": "pipeline_error" - } - }, - { - "append": { - "field": "error.message", - "value": "{{{ _ingest.on_failure_message }}}" - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "pfsense" - } - } -} diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 similarity index 90% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index 6166f6b55..d4861a35b 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -36,7 +36,7 @@ { "set": { "field": "event.timezone", - "value": "{{_tmp.tz_offset}}", + "value": "{{{_tmp.tz_offset}}}", "if": "ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local'" } }, @@ -83,7 +83,7 @@ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ], - "timezone": "{{ event.timezone }}" + "timezone": "{{{ event.timezone }}}" } }, { @@ -100,61 +100,67 @@ }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-firewall", + "name": "logs-pfsense.log-1.20.2-firewall", "if": "ctx.event.provider == 'filterlog'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-openvpn", + "name": "logs-pfsense.log-1.20.2-openvpn", "if": "ctx.event.provider == 'openvpn'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-ipsec", + "name": "logs-pfsense.log-1.20.2-ipsec", "if": "ctx.event.provider == 'charon'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-dhcp", + "name": "logs-pfsense.log-1.20.2-dhcp", "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-unbound", + "name": "logs-pfsense.log-1.20.2-unbound", "if": "ctx.event.provider == 'unbound'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-haproxy", + "name": "logs-pfsense.log-1.20.2-haproxy", "if": "ctx.event.provider == 'haproxy'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-php-fpm", + "name": "logs-pfsense.log-1.20.2-php-fpm", "if": "ctx.event.provider == 'php-fpm'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-squid", + "name": "logs-pfsense.log-1.20.2-squid", "if": "ctx.event.provider == 'squid'" } }, + { + "pipeline": { + "name": "logs-pfsense.log-1.20.2-snort", + "if": "ctx.event.provider == 'snort'" + } + }, { "pipeline": { - "name": "logs-pfsense.log-1.16.0-suricata", + "name": "logs-pfsense.log-1.20.2-suricata", "if": "ctx.event.provider == 'suricata'" } }, { "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"suricata\"].contains(ctx.event?.provider)" + "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\"].contains(ctx.event?.provider)" } }, { @@ -288,7 +294,7 @@ { "append": { "field": "related.ip", - "value": "{{destination.ip}}", + "value": "{{{destination.ip}}}", "allow_duplicates": false, "if": "ctx.destination?.ip != null" } @@ -296,7 +302,7 @@ { "append": { "field": "related.ip", - "value": "{{source.ip}}", + "value": "{{{source.ip}}}", "allow_duplicates": false, "if": "ctx.source?.ip != null" } @@ -304,7 +310,7 @@ { "append": { "field": "related.ip", - "value": "{{source.nat.ip}}", + "value": "{{{source.nat.ip}}}", "allow_duplicates": false, "if": "ctx.source?.nat?.ip != null" } @@ -312,21 +318,21 @@ { "append": { "field": "related.hosts", - "value": "{{destination.domain}}", + "value": "{{{destination.domain}}}", "if": "ctx.destination?.domain != null" } }, { "append": { "field": "related.user", - "value": "{{user.name}}", + "value": "{{{user.name}}}", "if": "ctx.user?.name != null" } }, { "set": { "field": "network.direction", - "value": "{{network.direction}}bound", + "value": "{{{network.direction}}}bound", "if": "ctx.network?.direction != null && ctx.network?.direction =~ /^(in|out)$/" } }, @@ -403,12 +409,5 @@ "value": "{{{ _ingest.on_failure_message }}}" } } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "pfsense" - } - } -} + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0-suricata b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata similarity index 100% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0-suricata rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json deleted file mode 100644 index efd85bb4b..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ /dev/null @@ -1,383 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent-1.20.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version", - "component.id", - "component.type", - "component.binary", - "component.state", - "component.old_state", - "unit.id", - "unit.type", - "unit.state", - "unit.old_state" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "component": { - "properties": { - "binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "wildcard" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "unit": { - "properties": { - "old_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "wildcard" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json deleted file mode 100644 index bf60f2543..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs-endpoint.collection-diagnostic" - }, - "codec": "best_compression", - "default_pipeline": "logs-endpoint.diagnostic.collection-8.10.2", - "mapping": { - "total_fields": { - "limit": "10000" - }, - "ignore_malformed": "true" - }, - "query": { - "default_field": [ - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "event": { - "properties": { - "severity": { - "type": "long" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json b/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json deleted file mode 100644 index 8fc83f9cb..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json +++ /dev/null @@ -1,201 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "metrics" - }, - "default_pipeline": "metrics-fleet_server.agent_status-1.5.0", - "mapping": { - "total_fields": { - "limit": "1000" - } - } - } - }, - "mappings": { - "dynamic": false, - "_source": { - "mode": "synthetic" - }, - "properties": { - "cluster": { - "properties": { - "id": { - "time_series_dimension": true, - "type": "keyword" - } - } - }, - "fleet": { - "properties": { - "agents": { - "properties": { - "offline": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "total": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "updating": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "inactive": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "healthy": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unhealthy": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unenrolled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "enrolled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unhealthy_reason": { - "properties": { - "output": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "input": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "other": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - } - } - }, - "upgrading_step": { - "properties": { - "rollback": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "requested": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "restarting": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "downloading": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "scheduled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "extracting": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "replacing": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "failed": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "watching": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - } - } - } - } - } - } - }, - "agent": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "kibana": { - "properties": { - "uuid": { - "path": "agent.id", - "type": "alias" - }, - "version": { - "path": "agent.version", - "type": "alias" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "fleet_server" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json b/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json deleted file mode 100644 index af3323ee9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "metrics" - }, - "default_pipeline": "metrics-fleet_server.agent_versions-1.5.0", - "mapping": { - "total_fields": { - "limit": "1000" - } - } - } - }, - "mappings": { - "dynamic": false, - "_source": { - "mode": "synthetic" - }, - "properties": { - "cluster": { - "properties": { - "id": { - "time_series_dimension": true, - "type": "keyword" - } - } - }, - "fleet": { - "properties": { - "agent": { - "properties": { - "count": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "version": { - "time_series_dimension": true, - "type": "keyword" - } - } - } - } - }, - "agent": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "kibana": { - "properties": { - "uuid": { - "path": "agent.id", - "type": "alias" - }, - "version": { - "path": "agent.version", - "type": "alias" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "fleet_server" - }, - "managed_by": "fleet", - "managed": true - } -} From c711ffe6c5cba43ca64b782575dc09e27bb14e91 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:44:56 -0600 Subject: [PATCH 27/38] keep pipeline "managed" metadata --- salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index d4861a35b..78a65b444 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -1,5 +1,12 @@ { "description": "Pipeline for PFsense", + "_meta": { + "package": { + "name": "pfsense" + }, + "managed_by": "fleet", + "managed": true + }, "processors": [ { "set": { @@ -153,7 +160,7 @@ } }, { - "pipeline": { + "pipeline": { "name": "logs-pfsense.log-1.20.2-suricata", "if": "ctx.event.provider == 'suricata'" } From 03b76cbcf5ede6b1f590227ee414469edd4d1aec Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:51:50 -0600 Subject: [PATCH 28/38] remove state files --- salt/manager/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 89255f839..85da8bbd9 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -538,8 +538,8 @@ post_to_2.4.120() { } post_to_2.4.130() { - # Integrations policies need to be updated - rm -f /opt/so/state/eaintegrations.txt + # Integrations policies need to be updated, along with ingest pipelines & index templates. + rm -f /opt/so/state/eaintegrations.txt /opt/so/state/espipelines.txt /opt/so/state/estemplates.txt # Sync the newly generated index templates for elasticfleet integrations salt-call state.apply elasticsearch queue=True From 8568c372f6e82f8ba508644155e8704fa8e1cd41 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:21:31 -0600 Subject: [PATCH 29/38] disable fleet apm --- salt/kibana/defaults.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 6cc4d123a..d0ba37e7b 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -35,3 +35,5 @@ kibana: hostname: localhost fleet: registryUrl: "" + apm: + enabled: false From 85dcfbf36877e3cc4a56fe67bef5cc0ffb3280ba Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:27:36 -0600 Subject: [PATCH 30/38] update kibana default space --- salt/kibana/tools/sbin_jinja/so-kibana-space-defaults | 2 +- salt/manager/tools/sbin/soup | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults index 6e4959194..4a2b5902c 100755 --- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults +++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults @@ -13,6 +13,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV2","siem","inventory","dataQuality","actions"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 85da8bbd9..3bcef79ef 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -544,6 +544,11 @@ post_to_2.4.130() { # Sync the newly generated index templates for elasticfleet integrations salt-call state.apply elasticsearch queue=True + # Update kibana default space + salt-call state.apply kibana.config queue=True + echo "Updating Kibana default space" + /usr/sbin/so-kibana-space-defaults + POSTVERSION=2.4.130 } From 12f0195f292f7e44f007e1b1f85da6e8fba3db08 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:28:23 -0600 Subject: [PATCH 31/38] pfsense integration - keep suricata events --- salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index 78a65b444..d12a03149 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -167,7 +167,7 @@ }, { "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\"].contains(ctx.event?.provider)" + "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\", \"suricata\"].contains(ctx.event?.provider)" } }, { From 3530bff320522e6c255b77bfd55e9301346bc9fa Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:29:27 -0600 Subject: [PATCH 32/38] always update package components state file to ensure index templates are created with any available integration components --- .../sbin/so-elastic-fleet-optional-integrations-load | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index 6d87b958c..dface5a72 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -91,15 +91,12 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then if [ "$PENDING_UPDATE" = true ]; then # Run bulk install of packages elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_OUTPUT - - # Write out file for generating index/component/ilm templates - latest_installed_package_list=$(elastic_fleet_installed_packages) - echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS - else echo "Elastic integrations don't appear to need installation/updating..." - exit 0 fi + # Write out file for generating index/component/ilm templates + latest_installed_package_list=$(elastic_fleet_installed_packages) + echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS else # This is the installation of add-on integrations and upgrade of existing integrations. Exiting without error, next highstate will attempt to re-run. From 235a8e3934ff26f27c07057d3829648d5efd46cb Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 18:30:51 -0600 Subject: [PATCH 33/38] update index templates for endpoint integration --- salt/elasticsearch/defaults.yaml | 215 ++++++++++++++++++++++++++++--- 1 file changed, 196 insertions(+), 19 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 04198a160..3eafa5e3d 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1783,13 +1783,131 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-endpoint_x_actions: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.actions@package + - .logs-endpoint.actions@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.actions@custom + index_patterns: + - logs-endpoint.actions-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.actions-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_action_x_responses: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.action.responses@package + - .logs-endpoint.action.responses@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.action.responses@custom + index_patterns: + - logs-endpoint.action.responses-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.actions-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-endpoint_x_alerts: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.alerts@custom - logs-endpoint.alerts@package + - logs-endpoint.alerts@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1846,9 +1964,9 @@ elasticsearch: index_sorting: false index_template: composed_of: + - .logs-endpoint.diagnostic.collection@package + - .logs-endpoint.diagnostic.collection@custom - event-mappings - - logs-endpoint.diagnostic.collection@custom - - logs-endpoint.diagnostic.collection@package - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1856,7 +1974,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-endpoint.diagnostic.collection@custom + - .logs-endpoint.diagnostic.collection@custom index_patterns: - .logs-endpoint.diagnostic.collection-* priority: 501 @@ -1905,9 +2023,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.api@custom - logs-endpoint.events.api@package + - logs-endpoint.events.api@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1964,9 +2082,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.file@custom - logs-endpoint.events.file@package + - logs-endpoint.events.file@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2023,9 +2141,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.library@custom - logs-endpoint.events.library@package + - logs-endpoint.events.library@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2082,9 +2200,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.network@custom - logs-endpoint.events.network@package + - logs-endpoint.events.network@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2141,9 +2259,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.process@custom - logs-endpoint.events.process@package + - logs-endpoint.events.process@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2200,9 +2318,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.registry@custom - logs-endpoint.events.registry@package + - logs-endpoint.events.registry@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2259,9 +2377,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.security@custom - logs-endpoint.events.security@package + - logs-endpoint.events.security@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2314,6 +2432,65 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-endpoint_x_heartbeat: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.heartbeat@package + - .logs-endpoint.heartbeat@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.heartbeat@custom + index_patterns: + - .logs-endpoint.heartbeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.heartbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-http_endpoint_x_generic: index_sorting: false index_template: From c1c72ddd9b507e5c27d630edf31f26d5e7f95b40 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 10:39:54 -0600 Subject: [PATCH 34/38] update global@custom pipeline ignore null/empty string values --- salt/elasticsearch/files/ingest/global@custom | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 4c522374e..57d0e5d20 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -10,7 +10,7 @@ { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, - { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "description":"Fix EA network packet capture" } }, + { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, From 21ed1439e2b4ebff2b7c3f3138d8fcf93909e4e9 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 10:40:18 -0600 Subject: [PATCH 35/38] update udp integration policy --- .../integrations/grid-nodes_general/syslog-udp-514.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json index ad32a6964..22821dea8 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json @@ -11,7 +11,7 @@ "udp-udp": { "enabled": true, "streams": { - "udp.generic": { + "udp.udp": { "enabled": true, "vars": { "listen_address": "0.0.0.0", @@ -20,11 +20,13 @@ "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, - "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", + "processors": "- add_fields:\n target: event\n fields: \n module: syslog", "tags": [ "syslog" ], - "syslog_options": "field: message\n#format: auto\n#timezone: Local" + "syslog_options": "field: message\n#format: auto\n#timezone: Local\n", + "preserve_original_event": false, + "custom": "" } } } From 1be8de7acbc08b9df04aec9dea0a3f3b9458eba5 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 11:16:57 -0600 Subject: [PATCH 36/38] must use null check --- salt/elasticsearch/files/ingest/global@custom | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 57d0e5d20..e11a0be72 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -10,7 +10,7 @@ { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, - { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, + { "set": { "if": "ctx.datastream_dataset_temp != null && ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, From 2b7ebf08cbcd2c87a9a5233692ba7caf19b8fb55 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 13:18:08 -0600 Subject: [PATCH 37/38] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 452820224..04d2c4735 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-foxtrot \ No newline at end of file +2.4.130 From f991d8a10a05986183b6197cc2ee662b25518f95 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 14:37:20 -0600 Subject: [PATCH 38/38] Update .gitleaks.toml --- .github/.gitleaks.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.gitleaks.toml b/.github/.gitleaks.toml index 21a047959..2111ed7bc 100644 --- a/.github/.gitleaks.toml +++ b/.github/.gitleaks.toml @@ -536,7 +536,7 @@ secretGroup = 4 [allowlist] description = "global allow lists" -regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''', '''ssl_.*password'''] +regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''', '''ssl_.*password''', '''integration_key\s=\s"so-logs-"'''] paths = [ '''gitleaks.toml''', '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',