From dbba7d722634a40f5e73d9fc123343c276b83b4b Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Mon, 10 Jan 2022 11:31:41 -0500
Subject: [PATCH 1/3] Add ability to specify local backup dir

---
 salt/elasticsearch/init.sls | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls
index a7de1160e..ffdb8148a 100644
--- a/salt/elasticsearch/init.sls
+++ b/salt/elasticsearch/init.sls
@@ -24,6 +24,7 @@ include:
 {% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
 {% set MANAGERIP = salt['pillar.get']('global:managerip') %}
+{% set ESMOUNT = salt ['pillar.get']('elasticsearch:extramount')%}
 
 {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %}
   {% set esclustername = salt['pillar.get']('manager:esclustername') %}
@@ -288,6 +289,9 @@ so-elasticsearch:
       - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro
       - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro
       {% endif %}
+      {% if ESMOUNT %}
+      - {{ ESMOUNT }}:/snapshots:rw
+      {% endif %}
     - watch:
       - file: cacertz
       - file: esyml

From 1c3eeb5a34d71f08757960828a9eb891087a2f47 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Mon, 10 Jan 2022 13:29:06 -0500
Subject: [PATCH 2/3] Fix typo -- replace period with comma

---
 salt/elasticsearch/templates/so/so-common-template.json.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja
index 11871bfc6..c421e740e 100644
--- a/salt/elasticsearch/templates/so/so-common-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-common-template.json.jinja
@@ -397,7 +397,7 @@
             },
 	    "severity_label": {
               "ignore_above": 1024,
-              "type": "keyword".
+              "type": "keyword",
 	      "fields": {
                 "keyword": {
                   "type": "keyword"

From 84f7c6b13bc1753315031b7720f8efc8c1ca28d4 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Mon, 10 Jan 2022 16:08:35 -0500
Subject: [PATCH 3/3] Add event.acknowledged and event.escalated mappings

---
 .../templates/so/so-common-template.json.jinja   | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja
index c421e740e..b61f3764d 100644
--- a/salt/elasticsearch/templates/so/so-common-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-common-template.json.jinja
@@ -291,6 +291,14 @@
         },
         "event": {
           "properties": {
+	    "acknowledged": {
+              "type": "boolean",
+	      "fields": {
+                "keyword": {
+                  "type": "keyword"
+                }
+              }
+            },
             "action": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -331,6 +339,14 @@
             "end": {
               "type": "date"
             },
+	    "escalated": {
+              "type": "boolean",
+	      "fields": {
+                "keyword": {
+                  "type": "keyword"
+                }
+              }
+            },
             "hash": {
               "ignore_above": 1024,
               "type": "keyword"