CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into kilo

Browse Source
This commit is contained in:
Jason Ertel
2023-03-07 15:26:01 -05:00
parent 4f3cb2eb3d 8c79d7e40d
commit a3e05d782e
112 changed files with 77 additions and 2870 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
salt/curator/defaults.yaml
View File

@@ -1,182 +1,62 @@
elasticsearch: elasticsearch:
index_settings: index_settings:
so-aws: logs-import-so:
warm: 7 close: 73000
delete: 73001
logs-strelka-so:
close: 30 close: 30
delete: 365 delete: 365
so-azure: logs-suricata-so:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-barracuda: logs-syslog-so:
warm: 7 close: 30
delete: 365
logs-zeek-so:
close: 30 close: 30
delete: 365 delete: 365
so-beats: so-beats:
warm: 7
close: 30
delete: 365
so-bluecoat:
warm: 7
close: 30
delete: 365
so-cef:
warm: 7
close: 30
delete: 365
so-checkpoint:
warm: 7
close: 30
delete: 365
so-cisco:
warm: 7
close: 30
delete: 365
so-cyberark:
warm: 7
close: 30
delete: 365
so-cylance:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-elasticsearch: so-elasticsearch:
warm: 7
close: 30
delete: 365
so-endgame:
warm: 7
close: 30
delete: 365
so-f5:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-firewall: so-firewall:
warm: 7
close: 30
delete: 365
so-fortinet:
warm: 7
close: 30
delete: 365
so-gcp:
warm: 7
close: 30
delete: 365
so-google_workspace:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-ids: so-ids:
warm: 7
close: 30
delete: 365
so-imperva:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-import: so-import:
warm: 7
close: 73000 close: 73000
delete: 73001 delete: 73001
so-infoblox:
warm: 7
close: 30
delete: 365
so-juniper:
warm: 7
close: 30
delete: 365
so-kratos: so-kratos:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-kibana: so-kibana:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-logstash: so-logstash:
warm: 7
close: 30
delete: 365
so-microsoft:
warm: 7
close: 30
delete: 365
so-misp:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-netflow: so-netflow:
warm: 7
close: 30
delete: 365
so-netscout:
warm: 7
close: 30
delete: 365
so-o365:
warm: 7
close: 30
delete: 365
so-okta:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-osquery: so-osquery:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-ossec: so-ossec:
warm: 7
close: 30
delete: 365
so-proofpoint:
warm: 7
close: 30
delete: 365
so-radware:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-redis: so-redis:
warm: 7
close: 30
delete: 365
so-snort:
warm: 7
close: 30
delete: 365
so-snyk:
warm: 7
close: 30
delete: 365
so-sonicwall:
warm: 7
close: 30
delete: 365
so-sophos:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-strelka: so-strelka:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-syslog: so-syslog:
warm: 7
close: 30
delete: 365
so-tomcat:
warm: 7
close: 30 close: 30
delete: 365 delete: 365
so-zeek: so-zeek:
warm: 7
close: 30
delete: 365
so-zscaler:
warm: 7
close: 30 close: 30
delete: 365 delete: 365

6
salt/curator/files/action/so-cef-close.yml → salt/curator/files/action/logs-import-so-close.yml
View File

@@ -3,12 +3,12 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-cef'].close %} {%- set cur_close_days = CURATORMERGED['logs-import-so'].close %}
actions: actions:
1: 1:
action: close action: close
description: >- description: >-
Close cef indices older than {{cur_close_days}} days. Close import indices older than {{cur_close_days}} days.
options: options:
delete_aliases: False delete_aliases: False
timeout_override: timeout_override:
@@ -17,7 +17,7 @@ actions:
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-cef.*|so-cef.*)$' value: '^(.ds-logs-import-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

6
salt/curator/files/action/so-sophos-delete.yml → salt/curator/files/action/logs-import-so-delete.yml
View File

@@ -3,19 +3,19 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-sophos'].delete %} {%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
actions: actions:
1: 1:
action: delete_indices action: delete_indices
description: >- description: >-
Delete sophos indices when older than {{ DELETE_DAYS }} days. Delete import indices when older than {{ DELETE_DAYS }} days.
options: options:
ignore_empty_list: True ignore_empty_list: True
disable_action: False disable_action: False
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-sophos.*|so-sophos.*)$' value: '^(.ds-logs-import-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

6
salt/curator/files/action/so-azure-close.yml → salt/curator/files/action/logs-strelka-so-close.yml
View File

@@ -3,12 +3,12 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-azure'].close %} {%- set cur_close_days = CURATORMERGED['logs-strelka-so'].close %}
actions: actions:
1: 1:
action: close action: close
description: >- description: >-
Close azure indices older than {{cur_close_days}} days. Close Strelka indices older than {{cur_close_days}} days.
options: options:
delete_aliases: False delete_aliases: False
timeout_override: timeout_override:
@@ -17,7 +17,7 @@ actions:
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-azure.*|so-azure.*)$' value: '^(.ds-logs-strelka-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

6
salt/curator/files/action/so-cylance-delete.yml → salt/curator/files/action/logs-strelka-so-delete.yml
View File

@@ -3,19 +3,19 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-cylance'].delete %} {%- set DELETE_DAYS = CURATORMERGED['logs-strelka-so'].delete %}
actions: actions:
1: 1:
action: delete_indices action: delete_indices
description: >- description: >-
Delete cylance indices when older than {{ DELETE_DAYS }} days. Delete Strelka indices when older than {{ DELETE_DAYS }} days.
options: options:
ignore_empty_list: True ignore_empty_list: True
disable_action: False disable_action: False
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-cylance.*|so-cylance.*)$' value: '^(.ds-logs-strelka-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

7
salt/curator/files/action/so-f5-close.yml → salt/curator/files/action/logs-suricata-so-close.yml
View File

@@ -3,13 +3,12 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-suricata-so'].close %}
{%- set cur_close_days = CURATORMERGED['so-f5'].close %}
actions: actions:
1: 1:
action: close action: close
description: >- description: >-
Close f5 indices older than {{cur_close_days}} days. Close Suricata indices older than {{cur_close_days}} days.
options: options:
delete_aliases: False delete_aliases: False
timeout_override: timeout_override:
@@ -18,7 +17,7 @@ actions:
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-f5.*|so-f5.*)$' value: '^(.ds-logs-suricata-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

6
salt/curator/files/action/so-bluecoat-delete.yml → salt/curator/files/action/logs-suricata-so-delete.yml
View File

@@ -3,19 +3,19 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-bluecoat'].delete %} {%- set DELETE_DAYS = CURATORMERGED['logs-suricata-so'].delete %}
actions: actions:
1: 1:
action: delete_indices action: delete_indices
description: >- description: >-
Delete bluecoat indices when older than {{ DELETE_DAYS }} days. Delete Suricata indices when older than {{ DELETE_DAYS }} days.
options: options:
ignore_empty_list: True ignore_empty_list: True
disable_action: False disable_action: False
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-bluecoat.*|so-bluecoat.*)$' value: '^(.ds-logs-suricata-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

6
salt/curator/files/action/so-cisco-close.yml → salt/curator/files/action/logs-syslog-so-close.yml
View File

@@ -3,12 +3,12 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-cisco'].close %} {%- set cur_close_days = CURATORMERGED['logs-syslog-so'].close %}
actions: actions:
1: 1:
action: close action: close
description: >- description: >-
Close cisco indices older than {{cur_close_days}} days. Close syslog indices older than {{cur_close_days}} days.
options: options:
delete_aliases: False delete_aliases: False
timeout_override: timeout_override:
@@ -17,7 +17,7 @@ actions:
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-cisco.*|so-cisco.*)$' value: '^(.ds-logs-syslog-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

6
salt/curator/files/action/so-tomcat-delete.yml → salt/curator/files/action/logs-syslog-so-delete.yml
View File

@@ -3,19 +3,19 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-tomcat'].delete %} {%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %}
actions: actions:
1: 1:
action: delete_indices action: delete_indices
description: >- description: >-
Delete tomcat indices when older than {{ DELETE_DAYS }} days. Delete syslog indices when older than {{ DELETE_DAYS }} days.
options: options:
ignore_empty_list: True ignore_empty_list: True
disable_action: False disable_action: False
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-tomcat.*|so-tomcat.*)$' value: '^(.ds-logs-syslog-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

6
salt/curator/files/action/so-aws-close.yml → salt/curator/files/action/logs-zeek-so-close.yml
View File

@@ -3,12 +3,12 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-aws'].close %} {%- set cur_close_days = CURATORMERGED['logs-zeek-so'].close %}
actions: actions:
1: 1:
action: close action: close
description: >- description: >-
Close aws indices older than {{cur_close_days}} days. Close Zeek indices older than {{cur_close_days}} days.
options: options:
delete_aliases: False delete_aliases: False
timeout_override: timeout_override:
@@ -17,7 +17,7 @@ actions:
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-aws.*|so-aws.*)$' value: '^(.ds-logs-zeek-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

6
salt/curator/files/action/so-misp-delete.yml → salt/curator/files/action/logs-zeek-so-delete.yml
View File

@@ -3,19 +3,19 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-misp'].delete %} {%- set DELETE_DAYS = CURATORMERGED['logs-zeek-so'].delete %}
actions: actions:
1: 1:
action: delete_indices action: delete_indices
description: >- description: >-
Delete misp indices when older than {{ DELETE_DAYS }} days. Delete Zeek indices when older than {{ DELETE_DAYS }} days.
options: options:
ignore_empty_list: True ignore_empty_list: True
disable_action: False disable_action: False
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: regex kind: regex
value: '^(logstash-misp.*|so-misp.*)$' value: '^(.ds-logs-zeek-so.*)$'
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older

27
salt/curator/files/action/so-aws-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-aws'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete aws indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-aws.*|so-aws.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-aws-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-aws'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-aws
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-azure-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-azure'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete azure indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-azure.*|so-azure.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-azure-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-azure'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-azure
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-barracuda-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-barracuda'].close %}
actions:
1:
action: close
description: >-
Close barracuda indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-barracuda.*|so-barracuda.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-barracuda-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-barracuda'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete barracuda indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-barracuda.*|so-barracuda.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-barracuda-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-barracuda'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-barracuda
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-beats-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-beats'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-beats
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-bluecoat-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-bluecoat'].close %}
actions:
1:
action: close
description: >-
Close bluecoat indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-bluecoat.*|so-bluecoat.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

29
salt/curator/files/action/so-bluecoat-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-bluecoat'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-bluecoat
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-cef-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-cef'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete cef indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-cef.*|so-cef.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-cef-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-cef'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-cef
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-checkpoint-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-checkpoint'].close %}
actions:
1:
action: close
description: >-
Close checkpoint indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-checkpoint.*|so-checkpoint.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-checkpoint-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-checkpoint'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete checkpoint indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-checkpoint.*|so-checkpoint.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-checkpoint-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-checkpoint'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-checkpoint
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-cisco-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-cisco'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete cisco indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-cisco.*|so-cisco.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-cisco-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-cisco'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-cisco
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-cyberark-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-cyberark'].close %}
actions:
1:
action: close
description: >-
Close cyberark indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-cyberark.*|so-cyberark.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-cyberark-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-cyberark'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete cyberark indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-cyberark.*|so-cyberark.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-cyberark-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-cyberark'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-cyberark
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-cylance-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-cylance'].close %}
actions:
1:
action: close
description: >-
Close cylance indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-cylance.*|so-cylance.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

29
salt/curator/files/action/so-cylance-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-cylance'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-cylance
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-elasticsearch-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-elasticsearch'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-elasticsearch
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-endgame-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-endgame'].close %}
actions:
1:
action: close
description: >-
Close Endgame indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

26
salt/curator/files/action/so-endgame-delete.yml
View File

@@ -1,26 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-endgame'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Endgame indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-endgame-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-endgame'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

28
salt/curator/files/action/so-f5-delete.yml
View File

@@ -1,28 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-f5'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete f5 indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-f5.*|so-f5.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

30
salt/curator/files/action/so-f5-warm.yml
View File

@@ -1,30 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-f5'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-f5
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

30
salt/curator/files/action/so-firewall-warm.yml
View File

@@ -1,30 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-firewall'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-firewall
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

28
salt/curator/files/action/so-fortinet-close.yml
View File

@@ -1,28 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-fortinet'].close %}
actions:
1:
action: close
description: >-
Close fortinet indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-fortinet.*|so-fortinet.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

28
salt/curator/files/action/so-fortinet-delete.yml
View File

@@ -1,28 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-fortinet'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete fortinet indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-fortinet.*|so-fortinet.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

30
salt/curator/files/action/so-fortinet-warm.yml
View File

@@ -1,30 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-fortinet'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-fortinet
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

28
salt/curator/files/action/so-gcp-close.yml
View File

@@ -1,28 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-gcp'].close %}
actions:
1:
action: close
description: >-
Close gcp indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-gcp.*|so-gcp.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

28
salt/curator/files/action/so-gcp-delete.yml
View File

@@ -1,28 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-gcp'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete gcp indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-gcp.*|so-gcp.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

30
salt/curator/files/action/so-gcp-warm.yml
View File

@@ -1,30 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-gcp'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-gcp
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

28
salt/curator/files/action/so-google_workspace-close.yml
View File

@@ -1,28 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-google_workspace'].close %}
actions:
1:
action: close
description: >-
Close google_workspace indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-google_workspace.*|so-google_workspace.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

28
salt/curator/files/action/so-google_workspace-delete.yml
View File

@@ -1,28 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-google_workspace'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete google_workspace indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-google_workspace.*|so-google_workspace.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

30
salt/curator/files/action/so-google_workspace-warm.yml
View File

@@ -1,30 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-google_workspace'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-google_workspace
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

30
salt/curator/files/action/so-ids-warm.yml
View File

@@ -1,30 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-ids'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-ids
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

28
salt/curator/files/action/so-imperva-close.yml
View File

@@ -1,28 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-imperva'].close %}
actions:
1:
action: close
description: >-
Close imperva indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-imperva.*|so-imperva.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-imperva-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-imperva'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete imperva indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-imperva.*|so-imperva.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-imperva-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-imperva'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-imperva
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-import-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-import'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-import
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-infoblox-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-infoblox'].close %}
actions:
1:
action: close
description: >-
Close infoblox indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-infoblox.*|so-infoblox.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-infoblox-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-infoblox'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete infoblox indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-infoblox.*|so-infoblox.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-infoblox-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-infoblox'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-infoblox
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-juniper-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-juniper'].close %}
actions:
1:
action: close
description: >-
Close juniper indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-juniper.*|so-juniper.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-juniper-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-juniper'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete juniper indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-juniper.*|so-juniper.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-juniper-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-aws'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-aws
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-kibana-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-kibana'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-kibana
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-kratos-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-kratos'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-kratos
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-logstash-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-logstash'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-logstash
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-microsoft-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-microsoft'].close %}
actions:
1:
action: close
description: >-
Close microsoft indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-microsoft.*|so-microsoft.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-microsoft-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-microsoft'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete microsoft indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-microsoft.*|so-microsoft.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-microsoft-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-microsoft'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-microsoft
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-misp-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-misp'].close %}
actions:
1:
action: close
description: >-
Close misp indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-misp.*|so-misp.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

29
salt/curator/files/action/so-misp-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-misp'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-misp
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-netflow-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-netflow'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-netflow
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-netscout-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-netscout'].close %}
actions:
1:
action: close
description: >-
Close netscout indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-netscout.*|so-netscout.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-netscout-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-netscout'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete netscout indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-netscout.*|so-netscout.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-netscout-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-netscout'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-netscout
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-o365-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-o365'].close %}
actions:
1:
action: close
description: >-
Close o365 indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-o365.*|so-o365.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-o365-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-o365'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete o365 indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-o365.*|so-o365.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-o365-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-o365'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-o365
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-okta-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-okta'].close %}
actions:
1:
action: close
description: >-
Close okta indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-okta.*|so-okta.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

29
salt/curator/files/action/so-okta-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-okta'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-okta
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-okta.delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-okta'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete okta indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-okta.*|so-okta.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-osquery-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-osquery'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-osquery
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-ossec-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-ossec'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-ossec
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-proofpoint-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-proofpoint'].close %}
actions:
1:
action: close
description: >-
Close proofpoint indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-proofpoint.*|so-proofpoint.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-proofpoint-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-proofpoint'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete proofpoint indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-proofpoint.*|so-proofpoint.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-proofpoint-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-proofpoint'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-proofpoint
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-radware-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-radware'].close %}
actions:
1:
action: close
description: >-
Close radware indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-radware.*|so-radware.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-radware-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-radware'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete radware indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-radware.*|so-radware.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-radware-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-radware'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-radware
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-redis-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-redis'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-redis
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-snort-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-snort'].close %}
actions:
1:
action: close
description: >-
Close snort indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-snort.*|so-snort.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-snort-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-snort'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete snort indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-snort.*|so-snort.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-snort-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-snort'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-snort
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-snyk-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-snyk'].close %}
actions:
1:
action: close
description: >-
Close snyk indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-snyk.*|so-snyk.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-snyk-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-snyk'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete snyk indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-snyk.*|so-snyk.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-snyk-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-snyk'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-snyk
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-sonicwall-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-sonicwall'].close %}
actions:
1:
action: close
description: >-
Close sonicwall indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-sonicwall.*|so-sonicwall.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/so-sonicwall-delete.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['so-sonicwall'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete sonicwall indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-sonicwall.*|so-sonicwall.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

29
salt/curator/files/action/so-sonicwall-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-sonicwall'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-sonicwall
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

27
salt/curator/files/action/so-sophos-close.yml
View File

@@ -1,27 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['so-sophos'].close %}
actions:
1:
action: close
description: >-
Close sophos indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(logstash-sophos.*|so-sophos.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

29
salt/curator/files/action/so-sophos-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-sophos'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-sophos
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-strelka-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-strelka'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-strelka
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

29
salt/curator/files/action/so-syslog-warm.yml
View File

@@ -1,29 +0,0 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set WARM_DAYS = CURATORMERGED['so-syslog'].warm %}
actions:
1:
action: allocation
description: "Apply shard allocation filtering rules to the specified indices"
options:
key: box_type
value: warm
allocation_type: require
wait_for_completion: true
timeout_override:
continue_if_exception: false
disable_action: false
filters:
- filtertype: pattern
kind: prefix
value: so-syslog
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ WARM_DAYS }}

Some files were not shown because too many files have changed in this diff Show More