diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index bce028235..952662600 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -53,6 +53,7 @@ elasticfleet: - citrix_adc - citrix_waf - cloudflare + - cloudflare_logpush - crowdstrike - darktrace - elastic_agent diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 22da47337..ffb302977 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3671,6 +3671,834 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-cloudflare_logpush_x_access_request: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.access_request@package + - logs-cloudflare_logpush.access_request@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.access_request@custom + index_patterns: + - logs-cloudflare_logpush.access_request-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.access_request-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_audit: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.audit@package + - logs-cloudflare_logpush.audit@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.audit@custom + index_patterns: + - logs-cloudflare_logpush.audit-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.audit-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_casb: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.casb@package + - logs-cloudflare_logpush.casb@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.casb@custom + index_patterns: + - logs-cloudflare_logpush.casb-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.casb-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_device_posture: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.device_posture@package + - logs-cloudflare_logpush.device_posture@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.device_posture@custom + index_patterns: + - logs-cloudflare_logpush.device_posture-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.device_posture-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_dns: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.dns@package + - logs-cloudflare_logpush.dns@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.dns@custom + index_patterns: + - logs-cloudflare_logpush.dns-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.dns-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_dns_firewall: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.dns_firewall@package + - logs-cloudflare_logpush.dns_firewall@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.dns_firewall@custom + index_patterns: + - logs-cloudflare_logpush.dns_firewall-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.dns_firewall-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_firewall_event: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.firewall_event@package + - logs-cloudflare_logpush.firewall_event@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.firewall_event@custom + index_patterns: + - logs-cloudflare_logpush.firewall_event-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.firewall_event-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_gateway_dns: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.gateway_dns@package + - logs-cloudflare_logpush.gateway_dns@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.gateway_dns@custom + index_patterns: + - logs-cloudflare_logpush.gateway_dns-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.gateway_dns-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_gateway_http: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.gateway_http@package + - logs-cloudflare_logpush.gateway_http@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.gateway_http@custom + index_patterns: + - logs-cloudflare_logpush.gateway_http-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.gateway_http-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_gateway_network: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.gateway_network@package + - logs-cloudflare_logpush.gateway_network@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.gateway_network@custom + index_patterns: + - logs-cloudflare_logpush.gateway_network-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.gateway_network-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_http_request: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.http_request@package + - logs-cloudflare_logpush.http_request@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.http_request@custom + index_patterns: + - logs-cloudflare_logpush.http_request-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.http_request-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_magic_ids: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.magic_ids@package + - logs-cloudflare_logpush.magic_ids@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.magic_ids@custom + index_patterns: + - logs-cloudflare_logpush.magic_ids-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.magic_ids-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_nel_report: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.nel_report@package + - logs-cloudflare_logpush.nel_report@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.nel_report@custom + index_patterns: + - logs-cloudflare_logpush.nel_report-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.nel_report-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_network_analytics: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.network_analytics@package + - logs-cloudflare_logpush.network_analytics@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.network_analytics@custom + index_patterns: + - logs-cloudflare_logpush.network_analytics-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.network_analytics-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_network_session: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.network_session@package + - logs-cloudflare_logpush.network_session@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.network_session@custom + index_patterns: + - logs-cloudflare_logpush.network_session-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.network_session-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_sinkhole_http: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.sinkhole_http@package + - logs-cloudflare_logpush.sinkhole_http@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.sinkhole_http@custom + index_patterns: + - logs-cloudflare_logpush.sinkhole_http-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.sinkhole_http-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_spectrum_event: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.spectrum_event@package + - logs-cloudflare_logpush.spectrum_event@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.spectrum_event@custom + index_patterns: + - logs-cloudflare_logpush.spectrum_event-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.spectrum_event-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cloudflare_logpush_x_workers_trace: + index_sorting: false + index_template: + composed_of: + - logs-cloudflare_logpush.workers_trace@package + - logs-cloudflare_logpush.workers_trace@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cloudflare_logpush.workers_trace@custom + index_patterns: + - logs-cloudflare_logpush.workers_trace-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-cloudflare_logpush.workers_trace-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-crowdstrike_x_alert: index_sorting: False index_template: @@ -3679,6 +4507,8 @@ elasticsearch: template: settings: index: + lifecycle: + name: so-logs-crowdstrike.alert-logs number_of_replicas: 0 composed_of: - logs-crowdstrike.alert@package @@ -3723,6 +4553,8 @@ elasticsearch: template: settings: index: + lifecycle: + name: so-logs-crowdstrike.falcon-logs number_of_replicas: 0 composed_of: - logs-crowdstrike.falcon@package @@ -3767,6 +4599,8 @@ elasticsearch: template: settings: index: + lifecycle: + name: so-logs-crowdstrike.fdr-logs number_of_replicas: 0 composed_of: - logs-crowdstrike.fdr@package @@ -3811,6 +4645,8 @@ elasticsearch: template: settings: index: + lifecycle: + name: so-logs-crowdstrike.host-logs number_of_replicas: 0 composed_of: - logs-crowdstrike.host@package @@ -8271,6 +9107,7 @@ elasticsearch: index_sorting: false index_template: composed_of: + - okta-mappings - logs-okta.system@package - logs-okta.system@custom - so-fleet_globals-1 @@ -10775,6 +11612,8 @@ elasticsearch: template: settings: index: + lifecycle: + name: so-logs-trend_micro_vision_one.alert-logs number_of_replicas: 0 composed_of: - "logs-trend_micro_vision_one.alert@package" @@ -10819,6 +11658,8 @@ elasticsearch: template: settings: index: + lifecycle: + name: so-logs-trend_micro_vision_one.audit-logs number_of_replicas: 0 ignore_missing_component_templates: - "logs-trend_micro_vision_one.audit@custom" @@ -10863,6 +11704,8 @@ elasticsearch: template: settings: index: + lifecycle: + name: so-logs-trend_micro_vision_one.detection-logs number_of_replicas: 0 ignore_missing_component_templates: - "logs-trend_micro_vision_one.detection@custom" @@ -10907,6 +11750,8 @@ elasticsearch: template: settings: index: + lifecycle: + name: so-logs-trend_micro_vision_one.deep_security-logs number_of_replicas: 0 ignore_missing_component_templates: - "logs-trendmicro.deep_security@custom" diff --git a/salt/elasticsearch/files/ingest/zeek.ldap b/salt/elasticsearch/files/ingest/zeek.ldap new file mode 100644 index 000000000..b7fef825a --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ldap @@ -0,0 +1,25 @@ +{ + "description": "zeek.ldap", + "processors": [ + {"set": {"field": "event.dataset", "value": "ldap"}}, + {"json": {"field": "message", "target_field": "message2", "ignore_failure": true}}, + {"rename": {"field": "message2.message_id", "target_field": "ldap.message_id", "ignore_missing": true}}, + {"rename": {"field": "message2.opcode", "target_field": "ldap.opcode", "ignore_missing": true}}, + {"rename": {"field": "message2.result", "target_field": "ldap.result", "ignore_missing": true}}, + {"rename": {"field": "message2.diagnostic_message", "target_field": "ldap.diagnostic_message", "ignore_missing": true}}, + {"rename": {"field": "message2.version", "target_field": "ldap.version", "ignore_missing": true}}, + {"rename": {"field": "message2.object", "target_field": "ldap.object", "ignore_missing": true}}, + {"rename": {"field": "message2.argument", "target_field": "ldap.argument", "ignore_missing": true}}, + {"rename": {"field": "message2.scope", "target_field": "ldap_search.scope", "ignore_missing":true}}, + {"rename": {"field": "message2.deref_aliases", "target_field": "ldap_search.deref_aliases", "ignore_missing":true}}, + {"rename": {"field": "message2.base_object", "target_field": "ldap.object", "ignore_missing":true}}, + {"rename": {"field": "message2.result_count", "target_field": "ldap_search.result_count", "ignore_missing":true}}, + {"rename": {"field": "message2.filter", "target_field": "ldap_search.filter", "ignore_missing":true}}, + {"rename": {"field": "message2.attributes", "target_field": "ldap_search.attributes", "ignore_missing":true}}, + {"script": {"source": "if (ctx.containsKey('ldap') && ctx.ldap.containsKey('diagnostic_message') && ctx.ldap.diagnostic_message != null) {\n String message = ctx.ldap.diagnostic_message;\n\n // get user and property from SASL success\n if (message.toLowerCase().contains(\"sasl(0): successful result\")) {\n Pattern pattern = /user:\\s*([^ ]+)\\s*property:\\s*([^ ]+)/i;\n Matcher matcher = pattern.matcher(message);\n if (matcher.find()) {\n ctx.ldap.user_email = matcher.group(1); // Extract user email\n ctx.ldap.property = matcher.group(2); // Extract property\n }\n }\n if (message.toLowerCase().contains(\"ldaperr:\")) {\n Pattern pattern = /comment:\\s*([^,]+)/i;\n Matcher matcher = pattern.matcher(message);\n\n if (matcher.find()) {\n ctx.ldap.comment = matcher.group(1);\n }\n }\n }","ignore_failure": true}}, + {"script": {"source": "if (ctx.containsKey('ldap') && ctx.ldap.containsKey('object') && ctx.ldap.object != null) {\n String message = ctx.ldap.object;\n\n // parse common name from ldap object\n if (message.toLowerCase().contains(\"cn=\")) {\n Pattern pattern = /cn=([^,]+)/i;\n Matcher matcher = pattern.matcher(message);\n if (matcher.find()) {\n ctx.ldap.common_name = matcher.group(1); // Extract CN\n }\n }\n // build domain from ldap object\n if (message.toLowerCase().contains(\"dc=\")) {\n Pattern dcPattern = /dc=([^,]+)/i;\n Matcher dcMatcher = dcPattern.matcher(message);\n\n StringBuilder domainBuilder = new StringBuilder();\n while (dcMatcher.find()) {\n if (domainBuilder.length() > 0 ){\n domainBuilder.append(\".\");\n }\n domainBuilder.append(dcMatcher.group(1));\n }\n if (domainBuilder.length() > 0) {\n ctx.ldap.domain = domainBuilder.toString();\n }\n }\n // create list of any organizational units from ldap object\n if (message.toLowerCase().contains(\"ou=\")) {\n Pattern ouPattern = /ou=([^,]+)/i;\n Matcher ouMatcher = ouPattern.matcher(message);\n ctx.ldap.organizational_unit = [];\n\n while (ouMatcher.find()) {\n ctx.ldap.organizational_unit.add(ouMatcher.group(1));\n }\n if(ctx.ldap.organizational_unit.isEmpty()) {\n ctx.remove(\"ldap.organizational_unit\");\n }\n }\n}\n","ignore_failure": true}}, + {"remove": {"field": "message2.tags","ignore_failure": true}}, + {"remove": {"field": ["host"],"ignore_failure": true}}, + {"pipeline": {"name": "zeek.common"}} + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/zeek.ldap_search b/salt/elasticsearch/files/ingest/zeek.ldap_search new file mode 100644 index 000000000..2a625c319 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ldap_search @@ -0,0 +1,9 @@ +{ + "description":"zeek.ldap_search", + "processors":[ + {"pipeline": {"name": "zeek.ldap", "ignore_missing_pipeline":true,"ignore_failure":true}}, + {"set": {"field": "event.dataset", "value":"ldap_search"}}, + {"remove": {"field": "tags", "ignore_missing":true}}, + {"pipeline": {"name": "zeek.common"}} + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/zeek.json b/salt/elasticsearch/templates/component/ecs/zeek.json index 0b2d7dc37..b0617305e 100644 --- a/salt/elasticsearch/templates/component/ecs/zeek.json +++ b/salt/elasticsearch/templates/component/ecs/zeek.json @@ -834,6 +834,81 @@ } } }, + "ldap": { + "type": "object", + "properties": { + "message_id": { + "type": "short" + }, + "opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "diagnostic_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "short" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + }, + "argument": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "property": { + "ignore_above": 1024, + "type": "keyword" + }, + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ldap_search": { + "type": "object", + "properties": { + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "deref_aliases": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_count": { + "type": "long" + }, + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "modbus": { "properties": { "exception": { @@ -1176,24 +1251,30 @@ "type": "object", "properties": { "server_name": { + "ignore_above": 1024, "type": "keyword" }, "version": { "type": "short" }, "client_initial_dcid": { + "ignore_above": 1024, "type": "keyword" }, "client_scid": { + "ignore_above": 1024, "type": "keyword" }, "server_scid": { + "ignore_above": 1024, "type": "keyword" }, "client_protocol": { + "ignore_above": 1024, "type": "keyword" }, "history": { + "ignore_above": 1024, "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index a8b5f4b4c..1e3c6ec30 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -284,6 +284,27 @@ soc: - kerberos.service - kerberos.request_type - log.id.uid + '::ldap': + - soc_timestamp + - event.dataset + - source.ip + - source.port + - destination.ip + - destination.port + - ldap.result + - ldap.common_name + - ldap.object + - ldap.opcode + '::ldap_search': + - soc_timestamp + - event.dataset + - source.ip + - source.port + - destination.ip + - destination.port + - ldap.result + - ldap.object + - ldap_search.filter '::modbus': - soc_timestamp - event.dataset @@ -1726,6 +1747,14 @@ soc: description: KERBEROS grouped by service query: 'tags:kerberos | groupby kerberos.service' showSubtitle: true + - name: LDAP + description: LDAP grouped by source ip and result + query: 'tags:ldap | groupby source.ip ldap.result' + showSubtitle: true + - name: LDAP_SEARCH + description: LDAP_SEARCH grouped by source.ip and filter + query: 'tags:ldap_search | groupby source.ip | groupby ldap_search.filter' + showSubtitle: true - name: MODBUS description: MODBUS grouped by function query: 'tags:modbus | groupby modbus.function' @@ -1956,6 +1985,12 @@ soc: - name: Kerberos description: Kerberos network metadata query: 'tags:kerberos | groupby kerberos.service | groupby -sankey kerberos.service source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby kerberos.client | groupby kerberos.request_type' + - name: LDAP + description: LDAP (Lightweight Directory Access Protocol) network metadata + query: 'tags:ldap | groupby source.ip | groupby destination.ip | groupby destination.port | groupby ldap.user_email | groupby ldap.property | groupby ldap.result | groupby ldap.common_name | groupby ldap.organizational_unit | groupby ldap.domain | groupby ldap.version | groupby ldap.object' + - name: LDAP_SEARCH + description: LDAP_SEARCH (Lightweight Directory Access Protocol) Search network metadata + query: 'tags:ldap_search | groupby source.ip | groupby destination.ip | groupby destination.port | groupby ldap_search.scope | groupby ldap.object | groupby ldap.domain | groupby ldap_search.filter' - name: MySQL description: MySQL network metadata query: 'tags:mysql | groupby mysql.command | groupby -sankey mysql.command source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows'