CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add osquery templates

Browse Source
This commit is contained in:
Wes
2023-06-13 20:43:39 +00:00
parent bd7644a557
commit af003cc2a1
3 changed files with 222 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
salt/elasticsearch/defaults.yaml
View File

@@ -259,15 +259,34 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-osquery-manager: so-logs-osquery-manager-actions:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
- "logs-osquery*" - ".logs-osquery_manager.actions*"
template: template:
settings: settings:
index: index:
number_of_replicas: 0 number_of_replicas: 0
composed_of:
- "logs-osquery_manager.actions"
priority: 501
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-osquery-manager-action.responses:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery_manager.action.responses*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-osquery_manager.action.responses"
priority: 501 priority: 501
_meta: _meta:
package: package:

91
salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.action.responses.json Normal file
View File

@@ -0,0 +1,91 @@
{"template": {
"mappings": {
"properties": {
"completed_at": {
"type": "date"
},
"action_response": {
"properties": {
"osquery": {
"properties": {
"count": {
"type": "long"
}
}
}
}
},
"@timestamp": {
"type": "date"
},
"agent_id": {
"ignore_above": 1024,
"type": "keyword"
},
"action_id": {
"ignore_above": 1024,
"type": "keyword"
},
"count": {
"type": "long"
},
"started_at": {
"type": "date"
},
"action_input_type": {
"ignore_above": 1024,
"type": "keyword"
},
"error": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event": {
"properties": {
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
"type": "date"
}
}
},
"action_data": {
"properties": {
"saved_query_id": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"ecs_mapping": {
"type": "object",
"enabled": false
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

110
salt/elasticsearch/templates/component/elastic-agent/elastic-agent/logs-osquery_manager.actions.json Normal file
View File

@@ -0,0 +1,110 @@
{"template": {
"mappings": {
"properties": {
"pack_name": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"type": "object",
"enabled": false
},
"data": {
"properties": {
"query": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"pack_id": {
"ignore_above": 1024,
"type": "keyword"
},
"input_type": {
"ignore_above": 1024,
"type": "keyword"
},
"pack_prebuilt": {
"type": "boolean"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"queries": {
"properties": {
"action_id": {
"ignore_above": 1024,
"type": "keyword"
},
"saved_query_id": {
"ignore_above": 1024,
"type": "keyword"
},
"saved_query_prebuilt": {
"type": "boolean"
},
"query": {
"type": "text"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"ecs_mapping": {
"type": "object",
"enabled": false
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"agents": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"agents": {
"ignore_above": 1024,
"type": "keyword"
},
"@timestamp": {
"type": "date"
},
"action_id": {
"ignore_above": 1024,
"type": "keyword"
},
"user_id": {
"ignore_above": 1024,
"type": "keyword"
},
"expiration": {
"type": "date"
},
"event": {
"properties": {
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
"type": "date"
}
}
},
"agent_ids": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}