Merge pull request #3002 from Security-Onion-Solutions/feature/sigma-tweaks

Update .security analyzer

salt/elasticsearch/templates/so/so-common-template.json

@@ -12,18 +12,16 @@
       "analyzer": {
         "es_security_analyzer": {
           "type": "custom",
-          "filter": [ "path_hierarchy_pattern_filter", "lowercase" ],
+          "char_filter": [ "whitespace_no_way" ],
-          "tokenizer": "whitespace"
+          "filter": [ "lowercase", "trim" ],
-        },
+          "tokenizer": "keyword"
-        "es_security_search_analyzer": {
+        }
-          "type": "custom",
+      },
-          "filter": [ "lowercase" ],
+      "char_filter": {
-          "tokenizer": "whitespace"
+        "whitespace_no_way": {
-        },
+          "type": "pattern_replace",
-        "es_security_search_quote_analyzer": {
+          "pattern": "(\\s)+",
-          "type": "custom",
+          "replacement": "$1"
-          "filter": [ "lowercase" ],
-          "tokenizer": "whitespace"
         }
       },  
       "filter" : {
@@ -35,6 +33,12 @@
             "((?:[^/]*/)*)(.*)"
           ]
         }
+      },  
+      "tokenizer": {
+        "path_tokenizer": {
+          "type": "path_hierarchy",
+          "delimiter": "\\"
+        }
       }
     }
   },
@@ -67,13 +71,12 @@
               "type": "text",
               "fields": {
                 "keyword": {
+                "ignore_above": 32765,
                  "type": "keyword"
                },
                "security": {
                  "type": "text",
-                 "analyzer": "es_security_analyzer",
+                 "analyzer": "es_security_analyzer"
-                 "search_analyzer": "es_security_search_analyzer",
-                 "search_quote_analyzer": "es_security_search_quote_analyzer"
                }
              }
             }